Edit tour

Windows Analysis Report
Uninstall.exe

Overview

General Information

Sample name:	Uninstall.exe
Analysis ID:	1528656
MD5:	7904be8f714449e8d7d23d98d5942aef
SHA1:	a5f579b308d08e595cb6b3601e7e354f157be33d
SHA256:	c5e1df2580fa74e4caa8ff329d1e4b820093ef9d29433e644b227186beb6954a
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Uninstall.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\Uninstall.exe" MD5: 7904BE8F714449E8D7D23D98D5942AEF)

Au_.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\ MD5: 7904BE8F714449E8D7D23D98D5942AEF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll	Virustotal: Detection: 14%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Virustotal: Detection: 50%	Perma Link

Multi AV Scanner detection for submitted file

Source: Uninstall.exe	ReversingLabs: Detection: 45%
Source: Uninstall.exe	Virustotal: Detection: 50%			Perma Link

Source: Uninstall.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Uninstall.exe

Static PE information: certificate valid

Source:

Binary string: C:\CODE\vitruvian\client\Installers\Windows\NSISPlugin\Release\NSISPlugin.pdb source: Au_.exe, 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000299E000.00000004.00000020.00020000.00000000.sdmp, NSISPlugin.dll.1.dr, nsu2089.tmp.1.dr

Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E

Source: unknown

DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Au_.exe, Au_.exe, 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000001.00000000.1721749700.0000000000409000.00000008.00000001.01000000.00000004.sdmp, Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr	String found in binary or memory: http://www.linkwizapp.com/uninstall-success
Source: Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr	String found in binary or memory: http://www.linkwizapp.com/uninstall-successrundll32.exeopenShellExecuteAsSessionUserWithFallback
Source: nsu2089.tmp.1.dr	String found in binary or memory: https://weld.unitegenius.com/i?e=vitruvian-installer-uninstall-v0002
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Uninstall.exe, Au_.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_10001529 GetWindowLongA,lstrlenA,lstrlenA,lstrlenA,GlobalAlloc,wsprintfA,CreateProcessA,GetLastError,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,MultiByteToWideChar,GetDlgItem,GetDlgItem,SendMessageW,SendMessageW,GetDlgItem,SendMessageW,CreateProcessWithLogonW,GetLastError,GetLastError,FormatMessageA,MessageBoxA,LocalFree,GetLastError,GlobalFree,CloseHandle,EndDialog,SetWindowLongA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,LoadLibraryA,LoadImageA,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,DestroyWindow,

1_2_10001529

Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040323C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_0040323C

Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_00404853	1_2_00404853
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_00406131	1_2_00406131
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C4ED2	1_2_6E5C4ED2
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5D4FD3	1_2_6E5D4FD3
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5D6FE7	1_2_6E5D6FE7
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5AAC87	1_2_6E5AAC87
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5D5CBF	1_2_6E5D5CBF
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C3D6C	1_2_6E5C3D6C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5D4A63	1_2_6E5D4A63
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5BFAF0	1_2_6E5BFAF0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5CCA91	1_2_6E5CCA91
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C3937	1_2_6E5C3937
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5D5543	1_2_6E5D5543
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C351F	1_2_6E5C351F
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5CB20C	1_2_6E5CB20C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5A83BA	1_2_6E5A83BA
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C302B	1_2_6E5C302B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5A3165	1_2_6E5A3165
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C71AD	1_2_6E5C71AD
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C41A1	1_2_6E5C41A1

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: String function: 6E5C5E60 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: String function: 6E5C12ED appears 69 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: String function: 6E5A165E appears 86 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: String function: 6E5A22ED appears 33 times
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: String function: 6E5C1320 appears 49 times

Source: Uninstall.exe, 00000000.00000000.1718651106.000000000052B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelinkwiz-setup.exe2 vs Uninstall.exe
Source: Uninstall.exe	Binary or memory string: OriginalFilenamelinkwiz-setup.exe2 vs Uninstall.exe

Source: Uninstall.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@3/9@1/0

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

1_2_10001529

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_10002F22 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,		1_2_10002F22
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5B5EB6 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		1_2_6E5B5EB6

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5AD008 GetCurrentProcessId,ProcessIdToSessionId,CreateToolhelp32Snapshot,_memset,Process32First,ProcessIdToSessionId,Process32Next,CloseHandle,CloseHandle,OpenProcess,OpenProcessToken,CloseHandle,

1_2_6E5AD008

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\Uninstall.exe

File created: C:\Users\user\AppData\Local\Temp\nsj1EC3.tmp

Jump to behavior

Source: Uninstall.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Uninstall.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Uninstall.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Uninstall.exe	ReversingLabs: Detection: 45%
Source: Uninstall.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\Uninstall.exe

File read: C:\Users\user\Desktop\Uninstall.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Uninstall.exe "C:\Users\user\Desktop\Uninstall.exe"
Source: C:\Users\user\Desktop\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\
Source: C:\Users\user\Desktop\Uninstall.exe	Process created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\	Jump to behavior

Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\Uninstall.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Uninstall.exe

Static PE information: certificate valid

Source:

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_02502A10 push eax; ret	1_2_02502A3E
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C5EA5 push ecx; ret	1_2_6E5C5EB8
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C8473 pushad ; ret	1_2_6E5C8474
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_6E5C12BB push ecx; ret	1_2_6E5C12CE

Source: C:\Users\user\Desktop\Uninstall.exe	File created: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	File created: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_100012B3 GetModuleFileNameA,SendMessageA,GetDlgItem,lstrcatA,GetDlgItem,GetPrivateProfileIntA,GetPrivateProfileIntA,EnableWindow,GetPrivateProfileIntA,ShowWindow,

1_2_100012B3

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5C4ED2 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_6E5C4ED2

Source: C:\Users\user\Desktop\Uninstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uninstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

1_2_6E5AD008

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-33805

Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E
Source: C:\Users\user\Desktop\Uninstall.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5BE5BB VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

1_2_6E5BE5BB

Source: C:\Users\user\Desktop\Uninstall.exe	API call chain: ExitProcess graph end node	graph_0-3167
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	API call chain: ExitProcess graph end node	graph_1-33453
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	API call chain: ExitProcess graph end node	graph_1-33489
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	API call chain: ExitProcess graph end node	graph_1-33491

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5CFB1E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

1_2_6E5CFB1E

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5CFB1E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

1_2_6E5CFB1E

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

1_2_6E5AD008

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5BE5BB VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

1_2_6E5BE5BB

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_06D91759 Create,GetDlgItem,GetWindowRect,MapWindowPoints,CreateDialogParamA,SetWindowPos,SetWindowLongA,GetProcessHeap,HeapAlloc,

1_2_06D91759

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5C5141 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6E5C5141

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_1000255E _,CreateEventA,CreateEventA,CreateEventA,CreateFileMappingA,MapViewOfFile,GetLastError,CreateThread,GetLastError,WaitForSingleObject,GetExitCodeThread,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,SendMessageA,GetCurrentProcessId,GetCurrentThreadId,SetWindowLongA,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,GetCurrentProcessId,GetCurrentProcessId,GetCurrentThreadId,wsprintfA,GetLastError,GetCurrentProcessId,SetCurrentDirectoryA,PostMessageA,GetCommandLineA,IsWindowVisible,GetModuleHandleA,CreateDialogParamA,GetWindowLongA,GetWindowLongA,SetWindowLongA,SetWindowPos,LoadIconA,FindWindowExA,ShowWindow,ShowWindow,FindWindowExA,GetDlgItem,ShowWindow,GetClientRect,SetWindowPos,GetWindowLongA,SetWindowLongA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,GlobalAlloc,GlobalFree,GlobalAlloc,GetModuleFileNameA,lstrlenA,GlobalAlloc,wsprintfA,SetForegroundWindow,ShellExecuteExA,GetLastError,UnhookWindowsHookEx,GetCurrentProcessId,GetCurrentThreadId,MsgWaitForMultipleObjects,GetExitCodeProcess,GetLastError,CloseHandle,CloseHandle,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GlobalFree,

1_2_1000255E

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5C5657 cpuid

1_2_6E5C5657

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_6E5D1E0D
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	1_2_6E5D1E90
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_6E5D0C69
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: GetLocaleInfoW,	1_2_6E5D1CA2
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: EnumSystemLocalesW,	1_2_6E5D1D50
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_6E5CFDD8
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_6E5D1D90
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	1_2_6E5D1AE0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	1_2_6E5C2919
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	1_2_6E5D0665
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: GetLocaleInfoW,	1_2_6E5C54E9
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: EnumSystemLocalesW,	1_2_6E5C54AC
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	1_2_6E5D025C
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_6E5D2258
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_6E5D22C0
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	1_2_6E5C60D1
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: GetLocaleInfoW,	1_2_6E5D2083
Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_6E5D21AB

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_6E5B1ED8 GetISO8601Time,GetSystemTime,swprintf,

1_2_6E5B1ED8

Source: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Code function: 1_2_10001164 SendMessageA,GetDlgItem,GetUserNameA,wsprintfA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,LoadLibraryA,LoadStringA,GetDlgItem,SendMessageA,

1_2_10001164

Source: C:\Users\user\Desktop\Uninstall.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	14 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Access Token Manipulation	11 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	1 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Uninstall.exe	45%	ReversingLabs	Win32.Adware.NetFilter
Uninstall.exe	51%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll	14%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	45%	ReversingLabs	Win32.Adware.NetFilter
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe	51%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
18.31.95.13.in-addr.arpa	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.linkwizapp.com/uninstall-success	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.31.95.13.in-addr.arpa	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://weld.unitegenius.com/i?e=vitruvian-installer-uninstall-v0002	nsu2089.tmp.1.dr	false		unknown
http://nsis.sf.net/NSIS_Error	Au_.exe, Au_.exe, 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmp, Au_.exe, 00000001.00000000.1721749700.0000000000409000.00000008.00000001.01000000.00000004.sdmp, Uninstall.exe, Au_.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Uninstall.exe, Au_.exe.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Uninstall.exe, Au_.exe.0.dr	false	URL Reputation: safe	unknown
http://www.linkwizapp.com/uninstall-success	Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr	false	0%, Virustotal, Browse	unknown
http://ocsp.thawte.com0	Uninstall.exe, Au_.exe.0.dr	false	URL Reputation: safe	unknown
http://www.linkwizapp.com/uninstall-successrundll32.exeopenShellExecuteAsSessionUserWithFallback	Uninstall.exe, 00000000.00000002.1722365263.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, 00000000.00000002.1722642452.0000000002804000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2973586073.000000000296D000.00000004.00000020.00020000.00000000.sdmp, Au_.exe, 00000001.00000002.2972921606.0000000000828000.00000004.00000020.00020000.00000000.sdmp, nsz1ED4.tmp.0.dr, nsu2089.tmp.1.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528656
Start date and time:	2024-10-08 07:49:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Uninstall.exe
Detection:	MAL
Classification:	mal56.winEXE@3/9@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 179
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	563299efce875400a8d9b44b96597c8e-sample (1).zip	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.20128.24359.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Adware-gen.4366.267.exe	Get hash	malicious	Unknown	Browse
	bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe	Get hash	malicious	Unknown	Browse
	bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe	Get hash	malicious	Unknown	Browse
	https://icrealtime.com/downloads/2	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.242686567730904
Encrypted:	false
SSDEEP:	6144:Vrq5Ie+LXuQbXghp2nWCU3Hi3sjLUyKiO4HbRcAQ:VXXgHxCU3pP3BO4HVlQ
MD5:	0431EF600E258E7AFE9452DB09463CDD
SHA1:	F16DB68FA7D7BC6883180D231F0C5802AF16B77D
SHA-256:	EE0335B94C561AD89F5979ED1439918E7CCDC371F57282847098202DABB03609
SHA-512:	A8DC1658BE8ED920D1C1F3BA5E509FA92C52EF92FB87ED0FAB03221F0CAD254D85EFCCAAFC4690725BD1CF1F0C57C60C85C1FA2DD0908447AED7F8A309997818
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 14%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Yrn.Yrn.Yrn.....Ern......rn.P..Xrn......rn.Yro..rn.P...Hrn.P..]rn.?...Nrn.?...Xrn.?...Xrn.?...Xrn.?...Xrn.RichYrn.........................PE..L...\,(U...........!................e.....................................................@..........................\|......xo...................................1......8............................'..@...............@............................text...>........................... ..`.rdata..............................@..@.data....G.......&...l..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.568877095847681
Encrypted:	false
SSDEEP:	192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:	C17103AE9072A06DA581DEC998343FC1
SHA1:	B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
SHA-256:	DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
SHA-512:	D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: 563299efce875400a8d9b44b96597c8e-sample (1).zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.20128.24359.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Adware-gen.4366.267.exe, Detection: malicious, Browse Filename: bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe, Detection: malicious, Browse Filename: bomgar-scc-w0yc30wie5hdhfjjhy58wyh1jzdzhxyz5yxjj7c40jc90 (1).exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.986927458483434
Encrypted:	false
SSDEEP:	192:vIARvmFvcukSWn8EAKVZ8148Dj33RZgqWVWYuOUEjRuFzEun0J:v2mukSe8EA88pRZAVWYuO3cFznny
MD5:	431E5B960AA15AF5D153BAE6BA6B7E87
SHA1:	E090C90BE02E0BAFE5F3D884C0525D8F87B3DB40
SHA-256:	A6D956F28C32E8AA2AB2DF13EF52637E23113FAB41225031E7A3D47390A6CF13
SHA-512:	F1526C7E4D0FCE8AB378E43E89AAFB1D7E9D57EF5324501E804091E99331DD2544912181D6D4A07D30416FE17C892867C593AEE623834935E11C7BB385C6A0A8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^!_.0r_.0r_.0r_.1r..0r.mrT.0r...r\.0r..6r^.0r..4r^.0rRich_.0r........PE..L...2..N...........!.....(...........-.......@...............................p.......................................7..<..../..x....P.......................`..........................................................d............................text....'.......(.................. ..`.data...T....@.......,..............@....rsrc........P.......0..............@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154490, resolution 2834 x 2834 px/m, cbSize 154544, bits offset 54
Category:	dropped
Size (bytes):	154544
Entropy (8bit):	0.4630961294492186
Encrypted:	false
SSDEEP:	96:QVT8/8nf6rftgf5mqjpjf4xSllIWndQ2mntwdp/GqY9aZsA:QVT8EnfCftgRmqlb4cllIWdQBCyVauA
MD5:	2B026E30A30E3FC28BC8FE1E51E8D092
SHA1:	1DD5C6F8A612C8C582E84AFC74F6A8147D05A49B
SHA-256:	D78746EE9DC33760E0FB84E11EEB8A4BE9C1AA49E1EC4583D65DABFE7ACC896F
SHA-512:	0D441BA147F28F44F172EAED517C3BBE1BAAEC3AB76F27B04C4DE34E2A44B279D282C7FCADCF3E08B623BABD1151323CB4F99F94C41B6D88F35B629FB90FB728
Malicious:	false
Reputation:	low
Preview:	BM.[......6...(.......:...........z[....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.054726426952
Encrypted:	false
SSDEEP:	96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
MD5:	C10E04DD4AD4277D5ADC951BB331C777
SHA1:	B1E30808198A3AE6D6D1CCA62DF8893DC2A7AD43
SHA-256:	E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
SHA-512:	853A5564BF751D40484EA482444C6958457CB4A17FB973CF870F03F201B8B2643BE41BCCDE00F6B2026DC0C3D113E6481B0DC4C7B0F3AE7966D38C92C6B5862E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.cXN`0XN`0XN`0XNa0mN`0.A=0UN`0.mP0]N`0.Hf0YN`0.nd0YN`0RichXN`0........................PE..L......K...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...G........................... ..`.rdata..k....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..<....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsu2089.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
File Type:	data
Category:	dropped
Size (bytes):	601946
Entropy (8bit):	5.0884036830049
Encrypted:	false
SSDEEP:	6144:54S6NKbqurq5Ie+LXuQbXghp2nWCU3Hi3sjLUyKiO4HbRcAQZfo7e:DXXgHxCU3pP3BO4HVlQm7e
MD5:	1CB1AF2F9783879797843E596774706B
SHA1:	6B129E1E06BE0C4F65D06B22C47448FFEC65919E
SHA-256:	EF85D8D85A8DB83A8449CB3FB2ED3973A4E87FC06373FDA4C73E21F16E54F6DD
SHA-512:	1CC0E5A55998F7CEB8513C30B86C040A24132A2428BA34A9FD767679B2E1C21A3EC1953F99313572B79888B12DEFC962EF76DCBAE189DB9C753CED0C285B0AA4
Malicious:	false
Preview:	........,.......,.......D"......................................................................................9...f.......8..."...............................................................................................................................................................................................l...............................................j.......m...p...v...............................................................................................................................................................................e...........#...B.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsz1ED4.tmp

Download File

Process:	C:\Users\user\Desktop\Uninstall.exe
File Type:	data
Category:	dropped
Size (bytes):	229013
Entropy (8bit):	2.2128353401985317
Encrypted:	false
SSDEEP:	768:5to2QbPHU5yAUd6osz41S24+T+uzWSb8vGHpDVafbmXKs:5Qb6oszmS6T+uqtOJDIfbmp
MD5:	6907B6E75F20D468BA9ACAB239580EF5
SHA1:	BA9EE4ED79C0AFD618666CD6CB298BEE45486F8D
SHA-256:	C22FADADADCAF4DCE5CD75B510AAAB8F02527264CF7A385A00F3C6C614C87259
SHA-512:	D2762270664F120D2E2B266DE22A06B36584F5205CCC083002D84A982A8E6EC6385C2DA67D453B4AC79BA668077AE9570AB4F6997EFE9809974D410401E4D499
Malicious:	false
Preview:	........,.......,.......D"......................................................................................9...f.......8..."...............................................................................................................................................................................................l...............................................j.......m...p...v...............................................................................................................................................................................e...........#...B.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

Download File

Process:	C:\Users\user\Desktop\Uninstall.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	313080
Entropy (8bit):	6.7841640934475
Encrypted:	false
SSDEEP:	6144:ES8gNaHlKBtpPFu5nvmrWMPOzT2QnMNloanqpZe8QvTq4Txss2jLm:CgNaHlKBtpPFu5nvmnOzT2QnMNlypZ5O
MD5:	7904BE8F714449E8D7D23D98D5942AEF
SHA1:	A5F579B308D08E595CB6B3601E7E354F157BE33D
SHA-256:	C5E1DF2580FA74E4CAA8FF329D1E4B820093EF9D29433E644B227186BEB6954A
SHA-512:	250F5FA4A891CF6A470613752F35A67676D0386DD54B6AA5C419F79E7476910C9A212E996FCA759726F4D97FFA54F963058593A885C3613305B8D37BB153F70E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 51%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\....... ..<2.......p....@..........................P......<........................................s..........................@............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata...@...p...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Uninstall.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.7841640934475
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Uninstall.exe
File size:	313'080 bytes
MD5:	7904be8f714449e8d7d23d98d5942aef
SHA1:	a5f579b308d08e595cb6b3601e7e354f157be33d
SHA256:	c5e1df2580fa74e4caa8ff329d1e4b820093ef9d29433e644b227186beb6954a
SHA512:	250f5fa4a891cf6a470613752f35a67676d0386dd54b6aa5c419f79e7476910c9a212e996fca759726f4d97ffa54f963058593a885c3613305b8d37bb153f70e
SSDEEP:	6144:ES8gNaHlKBtpPFu5nvmrWMPOzT2QnMNloanqpZe8QvTq4Txss2jLm:CgNaHlKBtpPFu5nvmnOzT2QnMNlypZ5O
TLSH:	F164AD03B765E4BEFD418971CDBAA2F942E2EC9AE5C395831B6BBE1734760901C7C241
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\....... .

File Icon


Icon Hash:	982e666331994b26

Static PE Info

General

Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE416 [Sat Dec 5 22:52:06 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	23/02/2015 18:43:50 23/02/2017 18:43:50
Subject Chain	E=support@linkwizapp.com, CN=LinkWiz, O=LinkWiz, L=San Diego, S=CA, C=US
Version:	3
Thumbprint MD5:	CEFC9D69B520F5C1B5BF01990D39C721
Thumbprint SHA-1:	E6D96B042E485260A210D2A6D37DA26EF2DFD2AF
Thumbprint SHA-256:	131C0A4FFFDD09C9603F6EE5D96BC1A7234D05DF6F1066387EC8944F1454FB15
Serial:	1121A175F4ACE7F00EC14DB23572A3C1D217

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00446F58h], eax
call 00007F5BC0D798CEh
mov dword ptr [00446EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00429C58h
call dword ptr [00407158h]
push 004091B8h
push 00442EA0h
call 00007F5BC0D79581h
call dword ptr [004070B0h]
mov edi, 0046F000h
push eax
push edi
call 00007F5BC0D7956Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [0046F000h], 00000022h
mov dword ptr [00446EA0h], eax
mov eax, edi
jne 00007F5BC0D76CCCh
mov byte ptr [esp+14h], 00000022h
mov eax, 0046F001h
push dword ptr [esp+14h]
push eax
call 00007F5BC0D79062h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F5BC0D76D25h
cmp cl, 00000020h
jne 00007F5BC0D76CC8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F5BC0D76CBCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12b000	0x19b90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4b0b8	0x1640	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	c3953c262c50b3d94af076321878ec20	False	0.6607931385869565	data	6.434848356779889	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	f179218a059068529bdb4637ef5fa28e	False	0.4453125	data	5.181627099249737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x3df98	0x400	8304967a23ff32b1b0197005a845ef83	False	0.5576171875	data	4.702855480290031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x47000	0xe4000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12b000	0x19b90	0x19c00	188016699e4727688e035b29e6d527b1	False	0.12031629247572816	data	2.884863625259417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x12b340	0x666	Device independent bitmap graphic, 96 x 16 x 8, image size 1538, resolution 2868 x 2868 px/m, 15 important colors	English	United States	0.18192918192918192
RT_ICON	0x12b9a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.07559446350408139
RT_ICON	0x13c1d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.12990080302314597
RT_ICON	0x1403f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.21607883817427387
RT_ICON	0x1429a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.23944652908067543
RT_ICON	0x143a48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.4370567375886525
RT_DIALOG	0x143eb0	0x118	data	English	United States	0.5428571428571428
RT_DIALOG	0x143fc8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x1441d0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x1442c8	0xf4	data	English	United States	0.5450819672131147
RT_DIALOG	0x1443c0	0xee	data	English	United States	0.6260504201680672
RT_GROUP_ICON	0x1444b0	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0x144500	0x2d0	data			0.44583333333333336
RT_MANIFEST	0x1447d0	0x3ba	XML 1.0 document, ASCII text, with very long lines (954), with no line terminators	English	United States	0.5209643605870021

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 07:51:03.342514038 CEST	53	60292	162.159.36.2	192.168.2.4
Oct 8, 2024 07:51:03.834114075 CEST	55683	53	192.168.2.4	1.1.1.1
Oct 8, 2024 07:51:03.842317104 CEST	53	55683	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 8, 2024 07:51:03.834114075 CEST	192.168.2.4	1.1.1.1	0xa826	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 8, 2024 07:51:03.842317104 CEST	1.1.1.1	192.168.2.4	0xa826	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	01:50:29
Start date:	08/10/2024
Path:	C:\Users\user\Desktop\Uninstall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uninstall.exe"
Imagebase:	0x400000
File size:	313'080 bytes
MD5 hash:	7904BE8F714449E8D7D23D98D5942AEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:50:30
Start date:	08/10/2024
Path:	C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\
Imagebase:	0x400000
File size:	313'080 bytes
MD5 hash:	7904BE8F714449E8D7D23D98D5942AEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 45%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.1%
Total number of Nodes:	1252
Total number of Limit Nodes:	20

Executed Functions

Function 0040323C Relevance: 61.5, APIs: 24, Strings: 11, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(00429C58,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00002000,004032AA,00442EA0,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(00442EA0,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,0046F000,00000000), ref: 004032BD
CharNextA.USER32(00000000,0046F000,00000020), ref: 004032E8
GetTempPathA.KERNELBASE(00002000,00479000,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(00479000,00001FFB), ref: 00403390
lstrcatA.KERNEL32(00479000,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(00477000), ref: 004033AF
ExitProcess.KERNEL32(00000000), ref: 00403428
CoUninitialize.COMBASE(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(00479000,~nsu.tmp,0046F000,00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(00479000,00475000), ref: 00403465
CreateDirectoryA.KERNELBASE(00479000,00000000), ref: 00403471
SetCurrentDirectoryA.KERNELBASE(00479000), ref: 00403478
DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,?,00447000,?), ref: 004034C2
CopyFileA.KERNEL32(0047D000,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,?,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

Error launching installer, xrefs: 004033E5
~nsu.tmp, xrefs: 00403453
_?=, xrefs: 004033D6
\Temp, xrefs: 00403396
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe, xrefs: 004034AB, 004034BB, 004034C1, 004034D0, 004034E1, 004034F2, 004034F8
", xrefs: 0040330A
NSIS Error, xrefs: 0040329B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
NCRC, xrefs: 00403328
/D=, xrefs: 0040333E
SeShutdownPrivilege, xrefs: 0040356A

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-3238908397
Opcode ID: 09adc77615875cb99e1655232aa85b73943ac6b3ac0d2ef6babfe0bc3138c36e
Instruction ID: b18730c7e9b155b38634e246beb7c9543dbde463d43dfe3db889f1e824801833
Opcode Fuzzy Hash: 09adc77615875cb99e1655232aa85b73943ac6b3ac0d2ef6babfe0bc3138c36e
Instruction Fuzzy Hash: 6B91C3319087417EE7216F619C49B6B7EACEB0134AF44453BF885B61E2C77C5A048B6F

Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Function 00405E88 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Function 004058B4 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

MoveFileExA.KERNEL32(00000000,?,00000005,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 004058CE
CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32(?,0043E630,00000400), ref: 0040590A
GetShortPathNameA.KERNEL32(00000000,0043E0A8,00000400), ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,0043E0A8,C0000000,00000004,0043E0A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0043DCA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32(00000000), ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

0C, xrefs: 004058EF
%s=%s, xrefs: 0040593B
[Rename], xrefs: 004059B5, 004059C7

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModuleMovePointerProcReadSizeWritewsprintf
String ID: %s=%s$0C$[Rename]
API String ID: 3178728463-2466990604
Opcode ID: 858f5c4d80c95a4a08ed66f26c8312584c08bcf35fb67b9fffa86d3c3ff23487
Instruction ID: e4acf15c9d64fbf53db5c011c469a52faadac1e9922c4ea510687d497f36d3fc
Opcode Fuzzy Hash: 858f5c4d80c95a4a08ed66f26c8312584c08bcf35fb67b9fffa86d3c3ff23487
Instruction Fuzzy Hash: AF410231605B01ABE3207B619C89F6B3A5CEF85715F140136FE05F22D2E678A801CEBE

Function 00402C72 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,0047D000,00002000), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,0047D000,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0047F000,00000000,00475000,00475000,0047D000,0047D000,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

Error launching installer, xrefs: 00402CC2
soft, xrefs: 00402D62
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B
Inst, xrefs: 00402D59
Null, xrefs: 00402D6B

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3016655952
Opcode ID: 320803e11de9210893dcdc2625a9e59dd4b90fb97de3a53ae8615a4bb38eddc3
Instruction ID: 03df0606648b4ab024968444c385b092b5c0145c7837f8ae0f7e4b1fa0432a39
Opcode Fuzzy Hash: 320803e11de9210893dcdc2625a9e59dd4b90fb97de3a53ae8615a4bb38eddc3
Instruction Fuzzy Hash: EB61C171940215ABDB20DF65DE89B9A77B8EB05314F20403BF904B72D2D7BC9E418BAD

Function 00403043 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(00413C40,?,00000000,00000000,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(0000E0DC,00000000,00000000,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@<A, xrefs: 0040309D

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @<A
API String ID: 2146148272-4260584491
Opcode ID: 174d68c61dc59966423a732e2d3c391a81e8efc1f43ef34debc31d603f9fbc71
Instruction ID: 38a819a872193e9674b1f8cae37046a3c02fbcd4fdc241d2fccf286a9b7d6e75
Opcode Fuzzy Hash: 174d68c61dc59966423a732e2d3c391a81e8efc1f43ef34debc31d603f9fbc71
Instruction Fuzzy Hash: A841A0726081019FD710DF29ED409A67FACF748357714427BE800BA2E5EB386E499B9D

Function 00402F18 Relevance: 7.6, APIs: 5, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNEL32(0041BC40,00004000,?,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FC6
WriteFile.KERNEL32(00000000,0041BC40,?,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FDE

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID:
API String ID: 2113905535-0
Opcode ID: 3f7d08bd1b607004b86426ebc4fc7916ae32c0a4dad671b24d0311feea879852
Instruction ID: ec21393f4165ad4c0dee3133c7f646fae2b171c51213e780747c13a8c2f6635b
Opcode Fuzzy Hash: 3f7d08bd1b607004b86426ebc4fc7916ae32c0a4dad671b24d0311feea879852
Instruction Fuzzy Hash: 8A314731501249EBDB21CF55DD44A9E7FBCEB803A5F20403AF904A6194D7749F81EBA9

Function 0040586C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

nsa, xrefs: 00405878

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Function 004053C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0043E4A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

Error launching installer, xrefs: 004053D9

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b7c9d10a8054e1d63aace513746620387ba85298539cfb76979fbda5e6a590d7
Instruction ID: 5c094ea24e64812d6ab6634a7517117686aedeac2daf9b822694a8d73c7fdf3e
Opcode Fuzzy Hash: b7c9d10a8054e1d63aace513746620387ba85298539cfb76979fbda5e6a590d7
Instruction Fuzzy Hash: 43E0ECB4900209AFEB00AF65DC49AAB7BBDEB18315F10D522A911E2190D775D8109A79

Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,0047D000,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Function 004035BD Relevance: 2.5, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035CF
CloseHandle.KERNEL32(FFFFFFFF,00000000,0040342D,00000000), ref: 004035E3

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf1c0dce9632df3043923ee584cd2e69872593ec5d746abbedfa489e726c2207
Instruction ID: 6d42d11965f2adb29e1169b23679bd7ec52781afc4985877fb6b731432307fd0
Opcode Fuzzy Hash: cf1c0dce9632df3043923ee584cd2e69872593ec5d746abbedfa489e726c2207
Instruction Fuzzy Hash: A9E0CD3050061066C234AF7CAD455463B1C9B413377248722F138F21F2C7389E824AED

Function 004031BF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,0041BC40,00413C40,004030C4,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Function 00403208 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(00479000,00000000,00479000,00479000,00479000,00000000,00403386), ref: 00403229

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 11ac191fccc5bbc9840a496eb92e8966bc42d1118a3597eec2c2256fb95cb988
Instruction ID: be85e933f5554b091e9989970333af42224d3bace8f0b1f193a31a6a85193b6d
Opcode Fuzzy Hash: 11ac191fccc5bbc9840a496eb92e8966bc42d1118a3597eec2c2256fb95cb988
Instruction Fuzzy Hash: A0D0C92255AE3031C652323A3C06FDF092C9F1272AF55887BF908B40D54B6C1E4289EE

Function 004031F1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Non-executed Functions

Function 00405042 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050A1
GetDlgItem.USER32(?,000003EE), ref: 004050B0
GetClientRect.USER32(?,?), ref: 004050ED
GetSystemMetrics.USER32(00000015), ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32(?,000003EC), ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32(?,000003F8), ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32(?,000003EC), ref: 00405204
CreateThread.KERNEL32(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(?,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052E1
GetWindowRect.USER32(?,?), ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32 ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32(00000000), ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000), ref: 004053A8
SetClipboardData.USER32(00000001,00000000), ref: 004053B3
CloseClipboard.USER32 ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: a51cd251cad040235ef2024c29e6b1610bda6eb2e8050d4f52d082b939cf5941
Instruction ID: d5cc792025810b1fa5c52fd71f17093da58624e5fcdd428af89ce0e6d8bd8183
Opcode Fuzzy Hash: a51cd251cad040235ef2024c29e6b1610bda6eb2e8050d4f52d082b939cf5941
Instruction Fuzzy Hash: 21A15870804208FFDB119FA0DD89AAE3F79FB04354F10417AFA05BA2A0C7B55A41DF59

Function 00404853 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040486A
GetDlgItem.USER32(?,00000408), ref: 00404877
GlobalAlloc.KERNEL32(00000040,?), ref: 004048C3
LoadBitmapA.USER32(0000006E), ref: 004048D6
SetWindowLongA.USER32(?,000000FC,00404E54), ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32(?,000000F0), ref: 00404A8A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32(?), ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32(?,000003FE), ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

, xrefs: 00404E15
N, xrefs: 00404AE7
M, xrefs: 00404A03

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 0e1a33c3e694231fb3390c5c9e17b12e35b4e92da7da87bf5bd91a9e50e2b9fc
Instruction ID: 1183d6f7a9f832480c2a2c99bd38156e4ec5938e1fe9ffba5ec1c0e4999ab2b0
Opcode Fuzzy Hash: 0e1a33c3e694231fb3390c5c9e17b12e35b4e92da7da87bf5bd91a9e50e2b9fc
Instruction Fuzzy Hash: 8A029CB0D00209AFEB11CF65DD45AAE7BB5FB85314F10817AF610BA2E1C7B99A41CF58

Function 00404356 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0042BC70,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00431CA0), ref: 004044C1
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe), ref: 004044CD
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32(?,?,00002000,00404510), ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(00429C68,?,?,0000040F,?,00429C68,00429C68,?,00000000,00429C68,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32(00000000,00000400,00429C58), ref: 0040462A

Strings

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe, xrefs: 004044BB, 004044C0, 004044CB
A, xrefs: 0040447D

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe
API String ID: 2246997448-978382989
Opcode ID: c4ab5f9acc70c33c109baa3c0883ae9a6e2437a1c98b2a2a31c98fc876b6eae3
Instruction ID: 837b9add0ee4c7fa7edda3a2cfc136c172d34a8f6a08fd8700377a4301a7160d
Opcode Fuzzy Hash: c4ab5f9acc70c33c109baa3c0883ae9a6e2437a1c98b2a2a31c98fc876b6eae3
Instruction Fuzzy Hash: 57917EB1900208ABDB11DFA2CD84AAF7BB8EF85354F10447BF604B62D1D77C9A419B69

Function 00405B88 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0042DC78,00000000,00404F3C,0042DC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00002000), ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00002000), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,?,0042DC78,00000000,00404F3C,0042DC78,00000000), ref: 00405D87

Strings

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1509007515
Opcode ID: 088bb6aa19643ac4639f92105eba46d0f8c85c3bc8575449d65d3801c8dcd7b1
Instruction ID: 9e5192f8493aa47ebdc16a38911c6d04ebd0228925298aebbb8fa2a4147c3c24
Opcode Fuzzy Hash: 088bb6aa19643ac4639f92105eba46d0f8c85c3bc8575449d65d3801c8dcd7b1
Instruction Fuzzy Hash: AC510335904A05AAEF215B64DC88B7F3BA4DF56324F24823BE911B62D0D37C5981DF4E

Function 0040548B Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 156filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,0046F000,74DF2EE0), ref: 004054A9
lstrcatA.KERNEL32(00439CA8,\*.*,00439CA8,?,00000000,?,0046F000,74DF2EE0), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,00439CA8,?,00000000,?,0046F000,74DF2EE0), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,00439CA8,?,00000000,?,0046F000,74DF2EE0), ref: 0040551A
FindFirstFileA.KERNEL32(00439CA8,?,?,?,00409010,?,00439CA8,?,00000000,?,0046F000,74DF2EE0), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

\*.*, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: 62009baea20755743a64f6a36bc5f6423812f01b0c07ebd8a4f50c8588871773
Instruction ID: c21d71015f388e95bcdaf446d79f8f0681b512570eb11bb529d8bb9f749da999
Opcode Fuzzy Hash: 62009baea20755743a64f6a36bc5f6423812f01b0c07ebd8a4f50c8588871773
Instruction Fuzzy Hash: C0510431804A447ADB216B218C45BBF3B79DF42728F14847BF915711D2C73C5A85DE6E

Function 00402020 Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 8b831bab9411c541a496b36cb7f3b9bb8278311742473642f8caf1b0044b4e6e
Instruction ID: 5940827fd3d8acfdb20cb91e5591fd81c6146be5a3dcf74c184eb07012a2b88f
Opcode Fuzzy Hash: 8b831bab9411c541a496b36cb7f3b9bb8278311742473642f8caf1b0044b4e6e
Instruction Fuzzy Hash: 9641AF75A00205AFCB40DFA4CD88E9E7BBAFF48354B204269FA15FB2D0CA799D41CB54

Function 00405E61 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,0043E4F0,0043BCA8,0040577D,0043BCA8,0043BCA8,00000000,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,0046F000,74DF2EE0), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 01e595e2f3112a2de1d0a49937830070d80cc3437c46873e90b3c13b0457b4b6
Instruction ID: ad08286ca6cff15a9a126e67a78f5d7bda1c091ca2a48e653f649c3583465e9e
Opcode Fuzzy Hash: 01e595e2f3112a2de1d0a49937830070d80cc3437c46873e90b3c13b0457b4b6
Instruction Fuzzy Hash: 9CD012359495205FC7001739AC0C85B7A58EF593347108B32F969F62E0C7749D52CAED

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: bf92d7814b32302f681bd40fdb9e228ea073e4d71cbcac882ac9a9a5f6c806a4
Instruction ID: 6ae398fb3f52c984721297e6b505dcc5bf61800dadfb0bcb08d50d620a11001a
Opcode Fuzzy Hash: bf92d7814b32302f681bd40fdb9e228ea073e4d71cbcac882ac9a9a5f6c806a4
Instruction Fuzzy Hash: B3F0A7725041019BD700DBB499499EEB7689B51314F60067BE111F20C1C2B859459B2E

Function 00403A45 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACE
GetDlgItem.USER32(?,?), ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32(?,00000001), ref: 00403BB8
GetDlgItem.USER32(?,00000002), ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32(?,00000003), ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
EnableWindow.USER32(?,?), ref: 00403D06
EnableWindow.USER32(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32(00000000), ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(00431CA0,?,00431CA0,00442EA0), ref: 00403D92
SetWindowTextA.USER32(?,00431CA0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: b4f51a569deccd6f3493512b7ddc09a36627d2e63de436a3da0c16f408f16889
Instruction ID: 1fd14b61aacdda538f00b8b16eb253fda244b111fbceed3359c2b62430d0d08c
Opcode Fuzzy Hash: b4f51a569deccd6f3493512b7ddc09a36627d2e63de436a3da0c16f408f16889
Instruction Fuzzy Hash: 7EC1A075904204ABDB20AF21ED89E2B3E7CEB5670AF50053EF541B11F1C77AA941DB2E

Function 004036AF Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(00477000,00431CA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00431CA0,00000000,00000006,0046F000,00000000,00479000,00000000), ref: 00403720
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,?,?,?,C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe,00000000,00471000,00477000,00431CA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00431CA0,00000000,00000006,0046F000), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe), ref: 004037A8
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe), ref: 004037B3
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00471000), ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNEL32(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32(00000000,RichEdit20A,00442E40), ref: 004038F6
GetClassInfoA.USER32(00000000,RichEdit,00442E40), ref: 00403903
RegisterClassA.USER32(00442E40), ref: 0040390C
DialogBoxParamA.USER32(?,00000000,00403A45,00000000), ref: 0040392B

Strings

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
_Nb, xrefs: 00403852, 00403857
RichEdit, xrefs: 004038FD
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
@.D, xrefs: 0040380B
RichEd32, xrefs: 004038E1
.exe, xrefs: 004037A2
.DEFAULT\Control Panel\International, xrefs: 0040370B
RichEdit20A, xrefs: 004038EE, 004038F4
RichEd20, xrefs: 004038D6

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@.D$C:\Users\user\AppData\Local\Temp\~nsu.tmp\Zu_.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-2126306940
Opcode ID: 37261a5dc7353b0e66c3586d2152ef1fe1a8c9b0db62de6cfcd712c82bfdfbe7
Instruction ID: 3542310957e084efa4f7071889cf7bf748f4eb568de54123e821ab1392b17e28
Opcode Fuzzy Hash: 37261a5dc7353b0e66c3586d2152ef1fe1a8c9b0db62de6cfcd712c82bfdfbe7
Instruction Fuzzy Hash: 8161E3B46442007FE710AF619D45F2B3AACEB4675AF50443FF940B22E1D7B8AD00CA2E

Function 00404060 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32(00000000,000003E8), ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32(?,0000040A), ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32(?,000003E8), ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32(00000000,00007F02), ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@C,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32(00000000,00007F00), ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

@C, xrefs: 00404264
N, xrefs: 004041F2
open, xrefs: 00404267

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @C$N$open
API String ID: 3615053054-560641889
Opcode ID: 7eb73afa992198c4f98a95f14df475cedb7533b9faad63bc5bef38095aed9e24
Instruction ID: 3a1959b9348cc4f2966bed60e082faf824cb7eb55f7dfb2b2a637252ef2f0b8f
Opcode Fuzzy Hash: 7eb73afa992198c4f98a95f14df475cedb7533b9faad63bc5bef38095aed9e24
Instruction Fuzzy Hash: 4F61BFB1A40309BFEB109F60DC45F6A3B69FB44755F10807AFB04BA2D1C7B8A951CB99

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00442EA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 055318d4bc47e4a764edf33350f334e63965e525b0f85424403fd80477bc7367
Instruction ID: ad11f47ad4c56fba0198c5e023b152b535431d91685ad324ade778771994e4e2
Opcode Fuzzy Hash: 055318d4bc47e4a764edf33350f334e63965e525b0f85424403fd80477bc7367
Instruction Fuzzy Hash: 68419A72804249AFCB058FA5CD459BFBBB9FF45314F00812AF951AA1A0C778AA50DFA5

Function 00403F7F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: c3a075b99b10f16fe81905acb2740d1399eaf426bce7a51db518b858d54e2138
Instruction ID: 139215c225530ed05a72f165aec94188ca6d0ffd2e2debb4f1ded45b97d75f17
Opcode Fuzzy Hash: c3a075b99b10f16fe81905acb2740d1399eaf426bce7a51db518b858d54e2138
Instruction Fuzzy Hash: BF31AD71C00128BBDF216FA4CD89DAE7E78EF09364F10423AF920772E0C6795D419BA9

Function 00404F04 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 5c433b9d1919233fe057bb373fe17f09c05b4435df315aeb336d2a0590a8cccc
Instruction ID: 2fc55b577d604e71a684dab85a3a394c861f11f73c7a4afdaccd6d4ddf25b775
Opcode Fuzzy Hash: 5c433b9d1919233fe057bb373fe17f09c05b4435df315aeb336d2a0590a8cccc
Instruction Fuzzy Hash: 98218CB1900119BBDB019FA5DD8499EBFB9EF49354F14807AFA04B6290C3789E40CB68

Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00000000,00000064,00000004), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 02cd7cf1b4c9dc1e06d43a13f06a46c1327bce63474e00e6603fffb3150c81e6
Instruction ID: d503382bffdb6877589bf5e9d8f4d3b6a3320859dd1babf1ed2f4cbaa8b03d3e
Opcode Fuzzy Hash: 02cd7cf1b4c9dc1e06d43a13f06a46c1327bce63474e00e6603fffb3150c81e6
Instruction Fuzzy Hash: 2501A170809214EBD7219F61EE4DA9F77A8BB01701B10403BF901F11E9DAB89901DBEF

Function 004047D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32(?,?), ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Function 00402B3B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BAC

Strings

unpacking data: %d%%, xrefs: 00402B78, 00402B88
verifying installer: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 9af37322b4a8c4315db75c794ccca9b4a5d46a3d1f417319ca6675d20cac232d
Instruction ID: 42736c47b098eae16a91b662ba86b6af227696c677de4a6351d43f215c84d625
Opcode Fuzzy Hash: 9af37322b4a8c4315db75c794ccca9b4a5d46a3d1f417319ca6675d20cac232d
Instruction Fuzzy Hash: 86F03671900109ABEF259F51DD0ABEE3779EB00305F008036FA05B51D1D7F9AA559F99

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

oD, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: oD
API String ID: 2987980305-1423469843
Opcode ID: aa3bd6656b727ffeb89295934e2ec15f0bb95f9d8d152917cfc451ee600f519d
Instruction ID: bdc715ebbed8c2eda9ea234d2d213aec03b0b01e395bd1d50e003243710bed61
Opcode Fuzzy Hash: aa3bd6656b727ffeb89295934e2ec15f0bb95f9d8d152917cfc451ee600f519d
Instruction Fuzzy Hash: 10212B32D04216ABCF207FA4CE89AAE75B0AB45398F20463BF511B62E1D77C4D41A65E

Function 00405DC8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,00479000,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,0046F000,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

Strings

*?|<>/":, xrefs: 00405E10

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Function 00401734 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,00409B70,00473000,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,00409B70,00409B70,00000000,00000000,00409B70,00473000,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00002000,004032AA,00442EA0,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: bcffe38cf0625ffddfb22b7a3aadbbe6959021bc8cf5848348ca87b96c5d944c
Instruction ID: 387613274165ae398735932c2abc0a0b51f1de13e66d7cff8d2fd5b5c87d53b9
Opcode Fuzzy Hash: bcffe38cf0625ffddfb22b7a3aadbbe6959021bc8cf5848348ca87b96c5d944c
Instruction Fuzzy Hash: BA41E531900515BBCB10BFB5DD46EAF3A79EF02369B20433BF511B11E1D63C5A418AAE

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 3379485738d87ea4489a121fc5fe0e7c5314169862274de7ec56f73532940607
Instruction ID: 259584080012af4a033af28bf2d78e0e72ca5e45c602eb3588b612967464464b
Opcode Fuzzy Hash: 3379485738d87ea4489a121fc5fe0e7c5314169862274de7ec56f73532940607
Instruction Fuzzy Hash: 4B116A75600009FFDF219F90DE48DAF7B6DEB41344B104436F945A00E0DBB49E55AF6A

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1287b685b981209588b0c59fc6f246be62162b0e9befa8d8972b60fe26002a3e
Instruction ID: 086d5b446e16212717cf7668c87d994395aec52f986300cbf4c27fae309feacd
Opcode Fuzzy Hash: 1287b685b981209588b0c59fc6f246be62162b0e9befa8d8972b60fe26002a3e
Instruction Fuzzy Hash: 91F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Function 004046F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00431CA0,00431CA0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32(?,00431CA0), ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: d88b1909310242b71c322c81ec026df4f0a2953a5b23512ca8fb632b4258ee74
Instruction ID: 36010866de4d4973df748f9dd838e75dfff237001bd6de138a618f82c9ba1ae9
Opcode Fuzzy Hash: d88b1909310242b71c322c81ec026df4f0a2953a5b23512ca8fb632b4258ee74
Instruction Fuzzy Hash: 16113473A001243BDB00626D8C45EEF3259CBD6335F14023BFA25F71D1E978AC1282E8

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a869fc4ed9d69aa89ddab629416d3bed9472318dc20609659f67b64c2dc426d5
Instruction ID: d701d1914d9a432f1ee94957cc89600c82e7343f4fc37ddb5fc3d32b609c0d77
Opcode Fuzzy Hash: a869fc4ed9d69aa89ddab629416d3bed9472318dc20609659f67b64c2dc426d5
Instruction Fuzzy Hash: D821C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040DB70,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040DB70,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040DB70,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 8b33dd6d6b2b8ed07ef4678f841582e7408791eb548e0479778c362945471d50
Instruction ID: 296c73fb00ad4de5de759cf5fdeaac1d87e05e13d386f830c03a67a49eb44fa0
Opcode Fuzzy Hash: 8b33dd6d6b2b8ed07ef4678f841582e7408791eb548e0479778c362945471d50
Instruction Fuzzy Hash: 261160B1E00109BFEB10AFA0DE49EAF767DFB54398F10413AF905B61D0D6B85D019669

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,0043BCA8,00000000,00405751,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,0046F000,74DF2EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00473000,00000000,00000000,000000F0), ref: 00401622

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 5b00c1ef3ae773a6d77c22359f08be701cdee15cca4b29b31090401c75d27140
Instruction ID: 1bea97f6ad753e655b82da7d5523b655d2584313a213d434da7226bf4f447ea8
Opcode Fuzzy Hash: 5b00c1ef3ae773a6d77c22359f08be701cdee15cca4b29b31090401c75d27140
Instruction Fuzzy Hash: 790108318081419FDB116F751D4497F6BB0AA56369724073FF491B22E2C63C0941962E

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 533bbaa52b75f52b026b180ddfe2c12257574f1b88f86b37d6c92ef85265d070
Instruction ID: 469f1bc5c2da8f7bf21418c9fa7c855411c387b6ab03f9ca10b763bcdfe7d214
Opcode Fuzzy Hash: 533bbaa52b75f52b026b180ddfe2c12257574f1b88f86b37d6c92ef85265d070
Instruction Fuzzy Hash: 4F113A71A00108BEDB01EFA5DD819AEBBB9EB49344B20853AF501F61E1D7389A54DB28

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(00413B74), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: f773f28dbc82b117281100af00a35109cec4549a2863c8757596b2bdf6898e11
Instruction ID: dbc87e4f6ee83b20b8f61a8a7c3942786851e2433e4431165b402845567ff4dd
Opcode Fuzzy Hash: f773f28dbc82b117281100af00a35109cec4549a2863c8757596b2bdf6898e11
Instruction Fuzzy Hash: D0F0A470A8C240AFE7016BB0AD0ABD93F649721317F10446AF141BA1E3D57C21009B7E

Function 00404E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a84b5296b4eeae82f408269d2d1b8d7033f61a03f51c3bbd89419221396ae481
Instruction ID: 574ffcac201dacb39b42018bad0bebdbc1389d908601d56a0bf61ad4508792f4
Opcode Fuzzy Hash: a84b5296b4eeae82f408269d2d1b8d7033f61a03f51c3bbd89419221396ae481
Instruction Fuzzy Hash: D6114F71940208BBEF21AF52DC4499F3729FB45769F00803BF604792E1C77D5A519BAD

Function 004057B2 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.1722120987.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1722107573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722136817.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722149697.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1722230617.000000000052B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Uninstall.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Analysis Process: Au_.exePID: 7432, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	26%
Signature Coverage:	10.4%
Total number of Nodes:	1269
Total number of Limit Nodes:	68

Executed Functions

Function 1000255E Relevance: 126.7, APIs: 69, Strings: 3, Instructions: 673
threadwindowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,10004314,00000001), ref: 10002601
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10002610
CreateFileMappingA.KERNEL32(000000FF,00000000,08000004,00000000,?,00000000), ref: 1000262D
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 10002645
CreateThread.KERNELBASE(00000000,00000001,10002218,00000000,00000000,00000000), ref: 10002673
GetLastError.KERNEL32 ref: 10002682
GetCurrentProcessId.KERNEL32 ref: 100026B8
GetCurrentThreadId.KERNEL32 ref: 100026BA
SendMessageA.USER32(00008004,0000053A,00000000), ref: 10002753
GetCurrentProcessId.KERNEL32 ref: 1000275E
GetCurrentThreadId.KERNEL32 ref: 10002760
SetWindowLongA.USER32(?,000000FC,10002489), ref: 10002784
GetCurrentProcessId.KERNEL32 ref: 100027BD
GetCurrentThreadId.KERNEL32 ref: 100027BF
wsprintfA.USER32 ref: 100027EF
GetCurrentProcessId.KERNEL32 ref: 100027F8
GetCurrentProcessId.KERNEL32 ref: 100027FF
GetCurrentThreadId.KERNEL32 ref: 10002801
wsprintfA.USER32 ref: 10002831
GetLastError.KERNEL32 ref: 1000283A
GetCurrentProcessId.KERNEL32 ref: 10002843

Part of subcall function 10002E72: CharNextA.USER32(?,?,?,00000000,?,?,1000285D,?,00000000,00000000), ref: 10002EAB
Part of subcall function 10002E72: CharNextA.USER32(00000000,?,?,1000285D,?,00000000,00000000), ref: 10002EB8
Part of subcall function 10002E72: CharNextA.USER32(?,?,?,00000000,?,?,1000285D,?,00000000,00000000), ref: 10002F04

SetCurrentDirectoryA.KERNEL32(-10002318,00000001,?,00000017,00000001,00000000,00000000,?,00000017,?,00000000,00000000), ref: 1000293E
wsprintfA.USER32 ref: 1000271F

Part of subcall function 10002E29: GetVersionExA.KERNEL32(00000094,?), ref: 10002E51

PostMessageA.USER32(00008005,00000000,00000000,00000000), ref: 100029AC
GetCommandLineA.KERNEL32(00000000,00000001), ref: 100029FA
IsWindowVisible.USER32(?), ref: 10002A2D
GetModuleHandleA.KERNEL32(00000000), ref: 10002A3C
CreateDialogParamA.USER32(?,0000006F,00000000,10002559,00000000), ref: 10002A5A
GetWindowLongA.USER32(00000000,000000EC), ref: 10002A8F
SetWindowLongA.USER32(?,000000EC,00000000), ref: 10002A9F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027), ref: 10002AAF
LoadIconA.USER32(?,00000067), ref: 10002ABA
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 10002AC9
GetDlgItem.USER32(?,00000406), ref: 10002AFA
ShowWindow.USER32(00000000,00000005), ref: 10002B06
GetClientRect.USER32(?,?), ref: 10002B0F
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000014), ref: 10002B23
GetWindowLongA.USER32(?,000000F0), ref: 10002B2E

Part of subcall function 10002357: GetWindowThreadProcessId.USER32(?,?), ref: 10002378
Part of subcall function 10002357: OpenProcess.KERNEL32(00000040,00000000,?,SeDebugPrivilege,00000001,?), ref: 10002395
Part of subcall function 10002357: GetLastError.KERNEL32 ref: 100023A2

CloseHandle.KERNEL32(?), ref: 10002D3B
wsprintfA.USER32 ref: 10002D65
wsprintfA.USER32 ref: 10002D77
wsprintfA.USER32 ref: 10002D88
wsprintfA.USER32 ref: 10002D9D
GlobalFree.KERNEL32(?), ref: 10002DBC

Strings

seclogon, xrefs: 10002C25
runas, xrefs: 10002A26, 10002A6D
/UAC:%X /NCRC%s, xrefs: 10002C0D

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Current$Window$Process$wsprintf$Thread$Create$Long$CharErrorLastNext$EventFileHandleMessage$ClientCloseCommandDialogDirectoryFindFreeGlobalIconItemLineLoadMappingModuleOpenParamPostRectSendShowVersionViewVisible
String ID: /UAC:%X /NCRC%s$runas$seclogon
API String ID: 4203222356-462553597
Opcode ID: b8bffdd8edf15f6d2e6f2047910d3067d7e53094fbef8e7a65abfebefa32b766
Instruction ID: ddd6d321f0c270f260a7080946e7e23422a5c93e7fb2e2ebcac8c0dbbdaa7338
Opcode Fuzzy Hash: b8bffdd8edf15f6d2e6f2047910d3067d7e53094fbef8e7a65abfebefa32b766
Instruction Fuzzy Hash: F94249B4904299AFFB01DFA4CC89ADE7FB9EB043C4F114066F544A7269DB708E85CB61

Function 0040323C Relevance: 61.5, APIs: 23, Strings: 12, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(00429C58,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00002000,004032AA,00442EA0,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(00442EA0,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00000020), ref: 004032E8
GetTempPathA.KERNEL32(00002000,00479000,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(00479000,00001FFB), ref: 00403390
lstrcatA.KERNEL32(00479000,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(00477000), ref: 004033AF
OleUninitialize.OLE32(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(00479000,~nsu.tmp,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(00479000,00475000), ref: 00403465
CreateDirectoryA.KERNEL32(00479000,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(00479000), ref: 00403478
DeleteFileA.KERNEL32(00427C58,00427C58,?,00447000,?), ref: 004034C2
CopyFileA.KERNEL32(0047D000,00427C58,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,00427C58,00427C58,?,00427C58,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32(00000002,00000000), ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

", xrefs: 0040330A
NSIS Error, xrefs: 0040329B
~nsu.tmp, xrefs: 00403453
/D=, xrefs: 0040333E
X|B, xrefs: 004034AB
SeShutdownPrivilege, xrefs: 0040356A
\Temp, xrefs: 00403396
_?=, xrefs: 004033D6
Error launching installer, xrefs: 004033E5
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 004032B0, 004032B6, 004033CC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
NCRC, xrefs: 00403328

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$X|B$\Temp$~nsu.tmp
API String ID: 2278157092-1326790807
Opcode ID: 3856c4f3656841d568976691278b522b5e2a55f01133d82e53ebf5050a868fc5
Instruction ID: b18730c7e9b155b38634e246beb7c9543dbde463d43dfe3db889f1e824801833
Opcode Fuzzy Hash: 3856c4f3656841d568976691278b522b5e2a55f01133d82e53ebf5050a868fc5
Instruction Fuzzy Hash: 6B91C3319087417EE7216F619C49B6B7EACEB0134AF44453BF885B61E2C77C5A048B6F

Function 6E5AD008 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 92
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 6E5AD039
ProcessIdToSessionId.KERNEL32(00000000,?,?,00000000), ref: 6E5AD040
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 6E5AD049
_memset.LIBCMT ref: 6E5AD05E
Process32First.KERNEL32(00000000,?), ref: 6E5AD078
ProcessIdToSessionId.KERNELBASE(?,?,?,?,00000000), ref: 6E5AD093
Process32Next.KERNEL32(00000000,00000128), ref: 6E5AD0C6
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 6E5AD0DF
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,00000000), ref: 6E5AD0EC
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000000), ref: 6E5AD101
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 6E5AD113

Strings

explorer.exe, xrefs: 6E5AD0AE

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Process$CloseHandleOpenProcess32Session$CreateCurrentFirstNextSnapshotTokenToolhelp32_memset
String ID: explorer.exe
API String ID: 2042333109-3187896405
Opcode ID: 6121bc447ca71dcfeb5227fc4dd5cb2363ee95063a191bd5d9e52a791c1ec8bf
Instruction ID: f28419820d7cf6337e3b93d044b8e5821a4a022e7191e159718447e2d478b931
Opcode Fuzzy Hash: 6121bc447ca71dcfeb5227fc4dd5cb2363ee95063a191bd5d9e52a791c1ec8bf
Instruction Fuzzy Hash: 8D31737190162C9FDB11AFA98C84AEEB7FCBF4A314F0504AAFA05E2140DB349E45CF65

Function 0040548B Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 004054A9
lstrcatA.KERNEL32(00439CA8,\*.*,00439CA8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,00439CA8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,00439CA8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 0040551A
FindFirstFileA.KERNEL32(00439CA8,?,?,?,00409010,?,00439CA8,?,00000000,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

\*.*, xrefs: 004054ED
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 00405495

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $\*.*
API String ID: 2035342205-1696835193
Opcode ID: 7a59cae7945815ac72422d941512dfd3c75fd7012d972d378295304f1a731b5f
Instruction ID: c21d71015f388e95bcdaf446d79f8f0681b512570eb11bb529d8bb9f749da999
Opcode Fuzzy Hash: 7a59cae7945815ac72422d941512dfd3c75fd7012d972d378295304f1a731b5f
Instruction Fuzzy Hash: C0510431804A447ADB216B218C45BBF3B79DF42728F14847BF915711D2C73C5A85DE6E

Function 06D91759 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 06D917A0
GetWindowRect.USER32(00000000,?), ref: 06D917AB
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 06D917BB
CreateDialogParamA.USER32(00000001,?,06D914CA,00000000), ref: 06D917D0
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 06D91803
SetWindowLongA.USER32(?,00000004,06D913FB), ref: 06D91811
GetProcessHeap.KERNEL32(00000008,00000000), ref: 06D9182B
HeapAlloc.KERNEL32(00000000), ref: 06D91832

Part of subcall function 06D91E27: GlobalAlloc.KERNEL32(00000040,?,?,06D910BE,error,?,00000104), ref: 06D91E3C
Part of subcall function 06D91E27: lstrcpynA.KERNEL32(00000004,?,?,06D910BE,error,?,00000104), ref: 06D91E52

Strings

error, xrefs: 06D917DF

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
String ID: error
API String ID: 1928716940-1574812785
Opcode ID: e0e62d2981085f6c0e0094d4803554541625bbe32c0f6b0b56ccfa3d9f4dff0d
Instruction ID: 90356f27d08473f429ec0e3ba91dcef33b443c9ddced2315ee5a58de08bcc0c7
Opcode Fuzzy Hash: e0e62d2981085f6c0e0094d4803554541625bbe32c0f6b0b56ccfa3d9f4dff0d
Instruction Fuzzy Hash: F221DF72900205FFDB42AFA6EC4AEAABBBAFB49704B014129F71997340D7719514CBB0

Function 6E5B5EB6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,00000000,?), ref: 6E5B5ED5
OpenProcessToken.ADVAPI32(00000000), ref: 6E5B5EDC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 6E5B5EEC
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 6E5B5F1B
CloseHandle.KERNELBASE(?), ref: 6E5B5F2C

Strings

SeDebugPrivilege, xrefs: 6E5B5EEA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: ef0608c05089f3788b6fb42c9381303f1378b89c9610e8e323c34e1f3cacdded
Instruction ID: e4cd91c43633cb3203d3904639301cce5a237d735c0af860210607a23b81535b
Opcode Fuzzy Hash: ef0608c05089f3788b6fb42c9381303f1378b89c9610e8e323c34e1f3cacdded
Instruction Fuzzy Hash: 4A11F7B1A0021DAFDF00DFE5DC99AFFBBFCEB09255F41442AB601E3141DA7599488BA4

Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Function 00405E61 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,0043E4F0,0043BCA8,0040577D,0043BCA8,0043BCA8,00000000,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 00405E6C
FindClose.KERNELBASE(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 01e595e2f3112a2de1d0a49937830070d80cc3437c46873e90b3c13b0457b4b6
Instruction ID: ad08286ca6cff15a9a126e67a78f5d7bda1c091ca2a48e653f649c3583465e9e
Opcode Fuzzy Hash: 01e595e2f3112a2de1d0a49937830070d80cc3437c46873e90b3c13b0457b4b6
Instruction Fuzzy Hash: 9CD012359495205FC7001739AC0C85B7A58EF593347108B32F969F62E0C7749D52CAED

Function 06D91855 Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 06D9186E
HeapAlloc.KERNEL32(00000000), ref: 06D91871
GetProcessHeap.KERNEL32(00000000,00000000,error,00000000,00000000), ref: 06D918E4
HeapFree.KERNEL32(00000000), ref: 06D91B18

Part of subcall function 06D91E27: GlobalAlloc.KERNEL32(00000040,?,?,06D910BE,error,?,00000104), ref: 06D91E3C
Part of subcall function 06D91E27: lstrcpynA.KERNEL32(00000004,?,?,06D910BE,error,?,00000104), ref: 06D91E52

Strings

LISTBOX, xrefs: 06D91994
BUTTON, xrefs: 06D9191A, 06D91A72, 06D91AA0
error, xrefs: 06D9188B, 06D918D7
COMBOBOX, xrefs: 06D9196D
EDIT, xrefs: 06D91946
RICHEDIT_CLASS, xrefs: 06D919DF
LINK, xrefs: 06D91A27, 06D91A66
NSIS: nsControl pointer property, xrefs: 06D91AB4
STATIC, xrefs: 06D91A03
RichEdit, xrefs: 06D919BB

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Heap$AllocProcess$FreeGloballstrcpyn
String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
API String ID: 1913068523-3375361224
Opcode ID: ecc87499cdd2981e785a74711067681dd4bee769c74c626039637e051ea940c3
Instruction ID: f2a3882090f43e01deda3dc6e89e792a8043d71ede228adc6f040f930d4b6963
Opcode Fuzzy Hash: ecc87499cdd2981e785a74711067681dd4bee769c74c626039637e051ea940c3
Instruction Fuzzy Hash: E1816072900305EBDFA19BA6DD45FAABBFDAB04208F114125F609B7241D674E8498BB4

Function 00403A45 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403ACE
GetDlgItem.USER32(?,?), ref: 00403AEF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32(?,00000001), ref: 00403BB8
GetDlgItem.USER32(?,00000002), ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?), ref: 00403BDC
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C2D
GetDlgItem.USER32(?,00000003), ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403D06
EnableWindow.USER32(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32(00000000), ref: 00403D3E
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D56
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D69
lstrlenA.KERNEL32(00431CA0,?,00431CA0,00442EA0), ref: 00403D92
SetWindowTextA.USER32(?,00431CA0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: d1df2909c8443b3fe88403e5355a949fcc2aa302fcd8f946eb4fa8d1bfdc8f33
Instruction ID: 1fd14b61aacdda538f00b8b16eb253fda244b111fbceed3359c2b62430d0d08c
Opcode Fuzzy Hash: d1df2909c8443b3fe88403e5355a949fcc2aa302fcd8f946eb4fa8d1bfdc8f33
Instruction Fuzzy Hash: 7EC1A075904204ABDB20AF21ED89E2B3E7CEB5670AF50053EF541B11F1C77AA941DB2E

Function 004036AF Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(00477000,00431CA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00431CA0,00000000,00000006,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00000000,00479000,00000000), ref: 00403720
lstrlenA.KERNEL32(Show,?,?,?,Show,00000000,00471000,00477000,00431CA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00431CA0,00000000,00000006,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe), ref: 004037A8
GetFileAttributesA.KERNEL32(Show), ref: 004037B3
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00471000), ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNELBASE(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32(00000000,RichEdit20A,00442E40), ref: 004038F6
GetClassInfoA.USER32(00000000,RichEdit,00442E40), ref: 00403903
RegisterClassA.USER32(00442E40), ref: 0040390C
DialogBoxParamA.USER32(?,00000000,00403A45,00000000), ref: 0040392B

Strings

Show, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
.exe, xrefs: 004037A2
RichEd32, xrefs: 004038E1
RichEdit20A, xrefs: 004038EE, 004038F4
@.D, xrefs: 0040380B
.DEFAULT\Control Panel\International, xrefs: 0040370B
_Nb, xrefs: 00403852, 00403857
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
RichEd20, xrefs: 004038D6
RichEdit, xrefs: 004038FD
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 004036BB

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $.DEFAULT\Control Panel\International$.exe$@.D$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Show$_Nb
API String ID: 914957316-2361814908
Opcode ID: a6de6b6738935fd168663d71524c9ac37fe43b8bdaddfafe1a9c92d4059f03a4
Instruction ID: 3542310957e084efa4f7071889cf7bf748f4eb568de54123e821ab1392b17e28
Opcode Fuzzy Hash: a6de6b6738935fd168663d71524c9ac37fe43b8bdaddfafe1a9c92d4059f03a4
Instruction Fuzzy Hash: 8161E3B46442007FE710AF619D45F2B3AACEB4675AF50443FF940B22E1D7B8AD00CA2E

Function 6E5AD571 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5AD57B

Part of subcall function 6E5A1792: __EH_prolog3.LIBCMT ref: 6E5A18E1

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001), ref: 6E5AD5E0
_memset.LIBCMT ref: 6E5AD602
RegQueryValueExA.KERNELBASE(?,ProfileImagePath,00000000,?,?,?,6E5B2085), ref: 6E5AD637
_memset.LIBCMT ref: 6E5AD673
ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 6E5AD68A
RegCloseKey.KERNELBASE(?), ref: 6E5AD6B6
__EH_prolog3_GS.LIBCMT ref: 6E5AD6FC
RegOpenKeyExA.KERNELBASE(80000003,?,00000000,00000001,?,0000003C), ref: 6E5AD721
RegCloseKey.KERNELBASE(?,?,00000000,00000001,?,0000003C), ref: 6E5AD731
RegLoadKeyA.ADVAPI32(80000003,?,?), ref: 6E5AD773

Strings

\NTUSER.DAT, xrefs: 6E5AD74C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\, xrefs: 6E5AD5A3
ProfileImagePath, xrefs: 6E5AD620

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CloseH_prolog3_Open_memset$EnvironmentExpandH_prolog3LoadQueryStringsValue
String ID: ProfileImagePath$SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$\NTUSER.DAT
API String ID: 3001384537-1680069287
Opcode ID: 4ae5f9ed9e796aa6cb74821f6bd067383e87ecace4c4c4b953e04d9a3cc4884d
Instruction ID: 9e537882a7a30a4a2bbedc09f81e85d8d65e6d458a1cf297058225dfe2424fbb
Opcode Fuzzy Hash: 4ae5f9ed9e796aa6cb74821f6bd067383e87ecace4c4c4b953e04d9a3cc4884d
Instruction Fuzzy Hash: AE515BB19001189BDB24EF98DD98BEEB7FDEB44308F5044A9E609E7140EB749E88CF51

Function 10002218 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 105
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 10002225
CreateWindowExA.USER32(00000080,Static,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 10002244
SetWindowLongA.USER32(00000000,000000FC,1000203A), ref: 1000226B
SetEvent.KERNEL32 ref: 10002277
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 10002295
GetLastError.KERNEL32 ref: 100022A2
GetCurrentProcessId.KERNEL32 ref: 100022C9
GetCurrentThreadId.KERNEL32 ref: 100022CB
SetCurrentDirectoryA.KERNEL32(-10002318), ref: 100022EC
SetEvent.KERNEL32(024D0000,?,?), ref: 10002322
GetLastError.KERNEL32 ref: 1000233C
GetCurrentProcessId.KERNEL32 ref: 10002346
GetCurrentThreadId.KERNEL32 ref: 10002348

Strings

Static, xrefs: 1000223A

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Current$ErrorEventLastProcessThreadWindow$CreateDirectoryInitializeLongMultipleObjectsWait
String ID: Static
API String ID: 1011777712-2272013587
Opcode ID: f87cf5b702e5b80ababacfe2cbf545df2d5db53f5eeea3b25a543c0b3abd9a89
Instruction ID: b19a1f2c78ded9c61e6cf6ac1d82f0c9c36c9914aaf08b88ed08d216f752e6fd
Opcode Fuzzy Hash: f87cf5b702e5b80ababacfe2cbf545df2d5db53f5eeea3b25a543c0b3abd9a89
Instruction Fuzzy Hash: E631AEB11043A1AFF304DFA4CC89DAA7BE9FB813C1B115A1AF5818216DDB749A44CB25

Function 10001D8D Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32,?,?,?,00000000,100025DF,10004314,00000001), ref: 10001D9C
LoadLibraryA.KERNEL32(ShlWAPI,?,?,00000000,100025DF,10004314,00000001), ref: 10001DA5
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 10001DB5
LoadLibraryA.KERNELBASE(SECUR32,?,?,00000000,100025DF,10004314,00000001), ref: 10001DC1
GetProcAddress.KERNELBASE(00000000,GetUserNameExA), ref: 10001DC9
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 10001DD6
GetProcAddress.KERNEL32(00000000,SHGetValueA), ref: 10001DE3

Strings

GetUserNameExA, xrefs: 10001DC3
ShlWAPI, xrefs: 10001D9E
CheckTokenMembership, xrefs: 10001DAD
ADVAPI32, xrefs: 10001D97
SECUR32, xrefs: 10001DB7
CreateProcessWithLogonW, xrefs: 10001DCB
SHGetValueA, xrefs: 10001DD8

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: ADVAPI32$CheckTokenMembership$CreateProcessWithLogonW$GetUserNameExA$SECUR32$SHGetValueA$ShlWAPI
API String ID: 2238633743-3146761024
Opcode ID: 9f578335a7462a9d06165b154334da01859a062d7052b787f04a66628dbe4e7e
Instruction ID: 970619d925c3357b7edda12471f2845ff4177baf837b1f29e5b7fd8b27ec2a06
Opcode Fuzzy Hash: 9f578335a7462a9d06165b154334da01859a062d7052b787f04a66628dbe4e7e
Instruction Fuzzy Hash: ECF09EE1A0526866EA10FBF75C88CCB7F9CDB842D03431426F304D3119DF7465008AA9

Function 00402C72 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,0047D000,00002000), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,0047D000,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0047F000,00000000,00475000,00475000,0047D000,0047D000,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

Null, xrefs: 00402D6B
soft, xrefs: 00402D62
Inst, xrefs: 00402D59
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
Error launching installer, xrefs: 00402CC2
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 00402C7F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3734043160
Opcode ID: 3b0b24f37f6badd2fd74752bf169a0ace79c66ec4c6eac9ab668145822c720f9
Instruction ID: 03df0606648b4ab024968444c385b092b5c0145c7837f8ae0f7e4b1fa0432a39
Opcode Fuzzy Hash: 3b0b24f37f6badd2fd74752bf169a0ace79c66ec4c6eac9ab668145822c720f9
Instruction Fuzzy Hash: EB61C171940215ABDB20DF65DE89B9A77B8EB05314F20403BF904B72D2D7BC9E418BAD

Function 100019EE Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 139
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(00000000,?,74DF2E90,00000000), ref: 10001A17
GetVersionExA.KERNEL32(00000094), ref: 10001A24
OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 10001A54
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,1000295B), ref: 10001AA9
GetLastError.KERNEL32 ref: 10001AAF
GlobalAlloc.KERNEL32(00000040,1000295B), ref: 10001ABF
GetTokenInformation.ADVAPI32(?,00000002,00000000,1000295B,1000295B), ref: 10001AD8
EqualSid.ADVAPI32(00000004,00000201), ref: 10001AF0
GlobalFree.KERNEL32(00000000), ref: 10001B0F
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),?,0000001E,?), ref: 10001B3D
CloseHandle.KERNEL32(?), ref: 10001B76

Strings

, xrefs: 10001A77

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Token$Information$ErrorGlobalLast$AllocCloseEqualFreeHandleOpenProcessVersion
String ID:
API String ID: 3001326878-3916222277
Opcode ID: c7d1740b25f1474719ac38a49dd1d30be75818a02373dd9f99f302537117a0a0
Instruction ID: 8885ee99dfe0ad60422c1baee37923041b56a2e906735ebbe117bcd46d695efb
Opcode Fuzzy Hash: c7d1740b25f1474719ac38a49dd1d30be75818a02373dd9f99f302537117a0a0
Instruction Fuzzy Hash: 9B515872A01229ABEB20CFA0CD48BDEBBF8EF057C5F1141A5E555E3194E7749A84CB60

Function 00405B88 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,0042DC78,00000000,00404F3C,0042DC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32(Show,00002000), ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(Show,00002000), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,Show), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(Show,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(Show,?,0042DC78,00000000,00404F3C,0042DC78,00000000), ref: 00405D87

Strings

Show, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Show$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2066119300
Opcode ID: d95055c75f5f692918c932c11799aea61300af81de6ec283d83934cb0b8c810f
Instruction ID: 9e5192f8493aa47ebdc16a38911c6d04ebd0228925298aebbb8fa2a4147c3c24
Opcode Fuzzy Hash: d95055c75f5f692918c932c11799aea61300af81de6ec283d83934cb0b8c810f
Instruction Fuzzy Hash: AC510335904A05AAEF215B64DC88B7F3BA4DF56324F24823BE911B62D0D37C5981DF4E

Function 6E5A53EE Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 188
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A53F8

Part of subcall function 6E5A57E7: __EH_prolog3.LIBCMT ref: 6E5A57EE
Part of subcall function 6E5A57E7: std::locale::_Init.LIBCPMT ref: 6E5A5806

RegOpenKeyExA.KERNELBASE(?,?,00000000,00020019,00000000,^[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}$,?,6E5E1704,0000000000.0000000000.0000000000.0000000000), ref: 6E5A5482
_swscanf.LIBCMT ref: 6E5A55A6
_memset.LIBCMT ref: 6E5A55C3

Part of subcall function 6E5A135C: _memmove.LIBCMT ref: 6E5A13C1

RegCloseKey.KERNELBASE(00000000,?,6E5E1704,0000000000.0000000000.0000000000.0000000000), ref: 6E5A569A

Strings

0000000000.0000000000.0000000000.0000000000, xrefs: 6E5A5416
%u.%u.%u.%u, xrefs: 6E5A55A0
%010u.%010u.%010u.%010u, xrefs: 6E5A55E6
^[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}$, xrefs: 6E5A5440
0.0.0.0, xrefs: 6E5A54EA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CloseH_prolog3H_prolog3_InitOpen_memmove_memset_swscanfstd::locale::_
String ID: %010u.%010u.%010u.%010u$%u.%u.%u.%u$0.0.0.0$0000000000.0000000000.0000000000.0000000000$^[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}\.[0-9]{0,10}$
API String ID: 1536882420-71908733
Opcode ID: 91ce8659f5144d90e8ddad24958936a5b4f91e0218e4bdd4bf120040383c9400
Instruction ID: f5392a44547bc869339f7e5d0fccfcb96c2eee6ca11b5cf68c8171d46d4c7116
Opcode Fuzzy Hash: 91ce8659f5144d90e8ddad24958936a5b4f91e0218e4bdd4bf120040383c9400
Instruction Fuzzy Hash: AB814471900218AFDF24CBE8CD90FEDB7B9AF50304F544599E21AAB181EB706E89CF51

Function 6E5AD79C Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 202
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000003,?,00000000,00000001,?), ref: 6E5AD82B
_memset.LIBCMT ref: 6E5AD84D
RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,6E5B2085), ref: 6E5AD888
__EH_prolog3_GS.LIBCMT ref: 6E5AD7A6

Part of subcall function 6E5AD571: __EH_prolog3_GS.LIBCMT ref: 6E5AD6FC
Part of subcall function 6E5AD571: RegOpenKeyExA.KERNELBASE(80000003,?,00000000,00000001,?,0000003C), ref: 6E5AD721
Part of subcall function 6E5AD571: RegCloseKey.KERNELBASE(?,?,00000000,00000001,?,0000003C), ref: 6E5AD731

Part of subcall function 6E5A219D: __EH_prolog3.LIBCMT ref: 6E5A21A4

RegCloseKey.ADVAPI32(?), ref: 6E5AD9F4
__EH_prolog3_GS.LIBCMT ref: 6E5ADA3E

Strings

AppData, xrefs: 6E5ADA7D
\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 6E5AD7EE
%USERPROFILE%, xrefs: 6E5AD8F1

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_$CloseOpen$H_prolog3QueryValue_memset
String ID: %USERPROFILE%$AppData$\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1156556799-104435484
Opcode ID: 7f7d33490952ff0a7371795f466933c058c6d06ee7232d1e97f162faa4ade3c3
Instruction ID: a490bbb90fc8400c5a206ca5dfcc81e980080da244c2d31e06592f8e2b36c713
Opcode Fuzzy Hash: 7f7d33490952ff0a7371795f466933c058c6d06ee7232d1e97f162faa4ade3c3
Instruction Fuzzy Hash: 468139709012289FDB24DFA8CA51BDEB7F9AF95308F5044D99749A7140EB306F89CF51

Function 02502440 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 136memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 025024F5
GlobalAlloc.KERNEL32(00000040,?), ref: 0250251F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 02502537
GlobalAlloc.KERNEL32(00000040,00000010), ref: 02502546
CLSIDFromString.OLE32(00000000,00000000), ref: 02502553
GlobalFree.KERNEL32(00000000), ref: 0250255A
GlobalFree.KERNELBASE(00000000), ref: 0250258E

Part of subcall function 02501550: lstrcpyA.KERNEL32(00000000,?,02501607,?,025011A1,-000000A0), ref: 0250155A

Strings

@Hmu, xrefs: 02502553

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpylstrlen
String ID: @Hmu
API String ID: 520554397-887474944
Opcode ID: e764d93d6f0044be3afa383e6023ea22db77ee8a390343bb5b64386ecb4ad68e
Instruction ID: a6fa219e3a55f6d96488bd4d5a92c23d2f614c0499a1ee7fec8a4d61f572bf7f
Opcode Fuzzy Hash: e764d93d6f0044be3afa383e6023ea22db77ee8a390343bb5b64386ecb4ad68e
Instruction Fuzzy Hash: 58418B719052029FD7209F64DCE8B3A7BF8FB84315F144959ED4ADA5C0DB70A884CB6E

Function 06D91C59 Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000040D,00000000), ref: 06D91C71
ShowWindow.USER32(00000008), ref: 06D91C7F
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 06D91C9B
IsDialogMessageA.USER32(?), ref: 06D91CAB
IsDialogMessageA.USER32(?), ref: 06D91CBB
TranslateMessage.USER32(?), ref: 06D91CC5
DispatchMessageA.USER32(?), ref: 06D91CCF
SetWindowLongA.USER32(?,00000004), ref: 06D91CE9

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
String ID:
API String ID: 4159918924-0
Opcode ID: 9e27d73ac1fd1a098ef129b5778d4683a7b407bacddc5a55fa9cf91356b5442e
Instruction ID: 66b9fb42f1deb04f328a21f2089ce901ff374097b19388025dc0669a5baa66c3
Opcode Fuzzy Hash: 9e27d73ac1fd1a098ef129b5778d4683a7b407bacddc5a55fa9cf91356b5442e
Instruction Fuzzy Hash: 6711053180020AABCF12AFA7FD09EAA7BBFFB45605B414021F70992294D7309415CBB0

Function 00401734 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147stringtimeCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(00000000,00000000,Show,00473000,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,Show,Show,00000000,00000000,Show,00473000,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00002000,004032AA,00442EA0,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Strings

Show, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: Show
API String ID: 1941528284-2453435967
Opcode ID: 6eb49238af6692539912acbcd3088fdc8e4a0dc505d43c590e7d81ca3d5c7019
Instruction ID: 387613274165ae398735932c2abc0a0b51f1de13e66d7cff8d2fd5b5c87d53b9
Opcode Fuzzy Hash: 6eb49238af6692539912acbcd3088fdc8e4a0dc505d43c590e7d81ca3d5c7019
Instruction Fuzzy Hash: BA41E531900515BBCB10BFB5DD46EAF3A79EF02369B20433BF511B11E1D63C5A418AAE

Function 00403043 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(00413C40,00414463,00000000,00000000,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(00036294,00000000,00000000,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@<A, xrefs: 0040309D
cDA, xrefs: 00403114, 0040312D

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @<A$cDA
API String ID: 2146148272-1061399103
Opcode ID: 174d68c61dc59966423a732e2d3c391a81e8efc1f43ef34debc31d603f9fbc71
Instruction ID: 38a819a872193e9674b1f8cae37046a3c02fbcd4fdc241d2fccf286a9b7d6e75
Opcode Fuzzy Hash: 174d68c61dc59966423a732e2d3c391a81e8efc1f43ef34debc31d603f9fbc71
Instruction Fuzzy Hash: A841A0726081019FD710DF29ED409A67FACF748357714427BE800BA2E5EB386E499B9D

Function 00401F51 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
KiUserCallbackDispatcher.NTDLL(?,00002000,00447000,00413B70, oD,?,00000008,00000001,000000F0), ref: 00401FDE

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

oD, xrefs: 00401FC7

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressCallbackDispatcherFreeHandleLoadModuleProcTextUserWindowlstrcat
String ID: oD
API String ID: 4236411475-1423469843
Opcode ID: 7e2e23e8ca072dcf6c3c9cb4140efd1df108e626b28cb1cbe2193e254b71bcec
Instruction ID: bdc715ebbed8c2eda9ea234d2d213aec03b0b01e395bd1d50e003243710bed61
Opcode Fuzzy Hash: 7e2e23e8ca072dcf6c3c9cb4140efd1df108e626b28cb1cbe2193e254b71bcec
Instruction Fuzzy Hash: 10212B32D04216ABCF207FA4CE89AAE75B0AB45398F20463BF511B62E1D77C4D41A65E

Function 6E5AD126 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5AD12D
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,?,00000010,6E5A3C83,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5AD15E
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,?,00000010,6E5A3C83,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5AD184
ConvertSidToStringSidA.ADVAPI32(00000000,00000000), ref: 6E5AD198
LocalFree.KERNEL32(00000000,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,?,00000010,6E5A3C83,0000002C), ref: 6E5AD1B5
CloseHandle.KERNEL32(?,?,TokenIntegrityLevel,00000000,00000000,?,00000010,6E5A3C83,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5AD1C3

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InformationToken$CloseConvertFreeH_prolog3HandleLocalString
String ID:
API String ID: 3529215428-0
Opcode ID: 7ddafbe476f39b87bf486c02c636d12bc90f644657da5e71c5b1cbe60fefad71
Instruction ID: 5663edff8cc1fb5047139c72295aa87b34d4db116075a43b2b965e7cc90c2384
Opcode Fuzzy Hash: 7ddafbe476f39b87bf486c02c636d12bc90f644657da5e71c5b1cbe60fefad71
Instruction Fuzzy Hash: 43117CB190060A9FDB049FE4CD44ABFBBF9FF89704F10082DF211A2281DB754E448B65

Function 00402F18 Relevance: 7.6, APIs: 5, Instructions: 109fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNELBASE(0041BC40,00004000,?,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FC6
WriteFile.KERNELBASE(00000000,0041BC40,?,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FDE

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID:
API String ID: 2113905535-0
Opcode ID: 3f7d08bd1b607004b86426ebc4fc7916ae32c0a4dad671b24d0311feea879852
Instruction ID: ec21393f4165ad4c0dee3133c7f646fae2b171c51213e780747c13a8c2f6635b
Opcode Fuzzy Hash: 3f7d08bd1b607004b86426ebc4fc7916ae32c0a4dad671b24d0311feea879852
Instruction Fuzzy Hash: 8A314731501249EBDB21CF55DD44A9E7FBCEB803A5F20403AF904A6194D7749F81EBA9

Function 0250198F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 02501D3B: GlobalFree.KERNEL32(?), ref: 02501F80
Part of subcall function 02501D3B: GlobalFree.KERNEL32(?), ref: 02501F85
Part of subcall function 02501D3B: GlobalFree.KERNEL32(?), ref: 02501F8A

GlobalFree.KERNEL32(00000000), ref: 02501A3A
FreeLibrary.KERNEL32(?), ref: 02501AB1
GlobalFree.KERNEL32(00000000), ref: 02501AD6

Part of subcall function 025023F6: GlobalAlloc.KERNEL32(00000040,E8002080), ref: 02502428

Part of subcall function 025027CC: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,02501A0B,00000000), ref: 0250281C

Part of subcall function 025018A1: lstrcpyA.KERNEL32(00000000,02504018,00000000,02501967,00000000), ref: 025018BA

Part of subcall function 025025FE: wsprintfA.USER32 ref: 0250265F
Part of subcall function 025025FE: GlobalFree.KERNEL32(?), ref: 02502728
Part of subcall function 025025FE: GlobalFree.KERNEL32(00000000), ref: 02502751

Strings

, xrefs: 02501AB7

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 1ad8a079af9847876a880815de8c8f410f2d89ea35db0fd2328ddd72402ab5c8
Instruction ID: 7d412abded9c2ec60b87e916c3c85600a8744899aea1f9197acdd18d97ca5054
Opcode Fuzzy Hash: 1ad8a079af9847876a880815de8c8f410f2d89ea35db0fd2328ddd72402ab5c8
Instruction Fuzzy Hash: 3031B271400A069ACB14AF75DCD8BA63BA8BF44324F08C865ED0DAE0C6DF748445CBBE

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a869fc4ed9d69aa89ddab629416d3bed9472318dc20609659f67b64c2dc426d5
Instruction ID: d701d1914d9a432f1ee94957cc89600c82e7343f4fc37ddb5fc3d32b609c0d77
Opcode Fuzzy Hash: a869fc4ed9d69aa89ddab629416d3bed9472318dc20609659f67b64c2dc426d5
Instruction Fuzzy Hash: D821C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Function 6E5B3124 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6E5B3195

Part of subcall function 6E5BD5AA: _malloc.LIBCMT ref: 6E5BD5C2

Part of subcall function 6E5B14F5: __EH_prolog3.LIBCMT ref: 6E5B14FC

Strings

SeRestorePrivilege, xrefs: 6E5B3164
SeBackupPrivilege, xrefs: 6E5B316E
SeDebugPrivilege, xrefs: 6E5B3154

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3Ios_base_dtor_mallocstd::ios_base::_
String ID: SeBackupPrivilege$SeDebugPrivilege$SeRestorePrivilege
API String ID: 2248311987-2063704729
Opcode ID: 54210688b652a011ed1df1ad24a9730d3dfb93b9d77e44eeebb0b66d39cea8ae
Instruction ID: 8bf0aefc11381e8f312da3da9d83dcb3a0d3a763b63ae2d1b2c0ae71508673e7
Opcode Fuzzy Hash: 54210688b652a011ed1df1ad24a9730d3dfb93b9d77e44eeebb0b66d39cea8ae
Instruction Fuzzy Hash: 3E012832115B15CBD654EBE8C835AAA33ED9BC2625B010519D614AF3C4DF705C4287D3

Function 0040586C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

nsa, xrefs: 00405878
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 00405873

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $nsa
API String ID: 1716503409-920667318
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,0043BCA8,00000000,00405751,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00473000,00000000,00000000,000000F0), ref: 00401622

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 209af644734a24d1333b26708d9a983e4321cafaa5444aff04a6b4d172326dd5
Instruction ID: 1bea97f6ad753e655b82da7d5523b655d2584313a213d434da7226bf4f447ea8
Opcode Fuzzy Hash: 209af644734a24d1333b26708d9a983e4321cafaa5444aff04a6b4d172326dd5
Instruction Fuzzy Hash: 790108318081419FDB116F751D4497F6BB0AA56369724073FF491B22E2C63C0941962E

Function 6E5A3C23 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A3C2A

Part of subcall function 6E5AD008: GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 6E5AD039
Part of subcall function 6E5AD008: ProcessIdToSessionId.KERNEL32(00000000,?,?,00000000), ref: 6E5AD040
Part of subcall function 6E5AD008: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 6E5AD049
Part of subcall function 6E5AD008: _memset.LIBCMT ref: 6E5AD05E
Part of subcall function 6E5AD008: Process32First.KERNEL32(00000000,?), ref: 6E5AD078
Part of subcall function 6E5AD008: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 6E5AD0DF
Part of subcall function 6E5AD008: OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,00000000), ref: 6E5AD0EC
Part of subcall function 6E5AD008: OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000000), ref: 6E5AD101
Part of subcall function 6E5AD008: CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 6E5AD113

GetCurrentProcess.KERNEL32(00000008,6E5A5049,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C67
OpenProcessToken.ADVAPI32(00000000), ref: 6E5A3C6E
CloseHandle.KERNELBASE(6E5A5049,00000000,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C96

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Process$CloseHandleOpen$CurrentToken$CreateFirstH_prolog3_Process32SessionSnapshotToolhelp32_memset
String ID:
API String ID: 3642591257-0
Opcode ID: f4a0d03d32a6401356cdf73562d95d88156a2ee0e45d679743b74a95e2d1d2e6
Instruction ID: 08f0d0e2a382b375937c3575d1c66721305fc3e743d6a143a6e91962e6297a32
Opcode Fuzzy Hash: f4a0d03d32a6401356cdf73562d95d88156a2ee0e45d679743b74a95e2d1d2e6
Instruction Fuzzy Hash: A3012871D11218ABDF10EFE8E994ADDBBF9BF44708F80482DE702A7241DB799908CB55

Function 6E5ADA34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5ADA3E

Part of subcall function 6E5AD79C: __EH_prolog3_GS.LIBCMT ref: 6E5AD7A6
Part of subcall function 6E5AD79C: RegOpenKeyExA.KERNELBASE(80000003,?,00000000,00000001,?), ref: 6E5AD82B
Part of subcall function 6E5AD79C: _memset.LIBCMT ref: 6E5AD84D
Part of subcall function 6E5AD79C: RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?,6E5B2085), ref: 6E5AD888

Strings

AppData, xrefs: 6E5ADA7D
Local AppData, xrefs: 6E5ADAB5

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_$OpenQueryValue_memset
String ID: AppData$Local AppData
API String ID: 1942963601-163911853
Opcode ID: b5499fa2a9ef3d9eae2aa67e20c414753e97628972aaabe9ffea80ea1a3edaa8
Instruction ID: 395dc676163018afdd69055ba4b282f8f0cf7987e2990f0d8fd1272ed7ac89ad
Opcode Fuzzy Hash: b5499fa2a9ef3d9eae2aa67e20c414753e97628972aaabe9ffea80ea1a3edaa8
Instruction Fuzzy Hash: 8221E7B59001188ACB58EFEDC951AEDB7F9AB98208F508859C609E7241EF349E09CB51

Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Function 00401B06 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B75
GlobalAlloc.KERNELBASE(00000040,00002004), ref: 00401B87

Strings

Show, xrefs: 00401B2D, 00401B33, 00401B4D

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Global$AllocFree
String ID: Show
API String ID: 3394109436-2453435967
Opcode ID: 597160d677e6f6bf239cdb815303b9d1c25e4923f441626bb30c6ad79852b10b
Instruction ID: 40a7280c6bc08be0db3b73016c8de3fef090b0d8f695c6c290b048d12dbd555a
Opcode Fuzzy Hash: 597160d677e6f6bf239cdb815303b9d1c25e4923f441626bb30c6ad79852b10b
Instruction Fuzzy Hash: 3E21C07AA041019BC710AFA4DD84AAE73B8FB44328724463BF502F32D1E77CB9029B5D

Function 6E5A4BA1 Relevance: 4.6, APIs: 3, Instructions: 67registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A4BAB
RegQueryInfoKeyA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E5A4BE9
RegEnumKeyExA.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 6E5A4C25

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: EnumH_prolog3_InfoQuery
String ID:
API String ID: 4204649834-0
Opcode ID: 4f85e5d2d92d7dc5d1f40d9d406d84dde75477df14fd3bf8951694a59b56a43f
Instruction ID: 3115e09d0ba2c1d41c3360a6c2dd2a494e1cd96eb228b14a5d711579bc95afa1
Opcode Fuzzy Hash: 4f85e5d2d92d7dc5d1f40d9d406d84dde75477df14fd3bf8951694a59b56a43f
Instruction Fuzzy Hash: 2D2130B19012199AEB64DFA9CD95BEEF6FCAF48700F104099A309E3240DB709E858F65

Function 00405A4D Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,00405C89,00000000,00000002,?,00000002,?,?,00405C89,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,?), ref: 00405A76
RegQueryValueExA.KERNELBASE(?,?,00000000,00405C89,?,00405C89), ref: 00405A97
RegCloseKey.ADVAPI32(?), ref: 00405AB8

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 204e51b4f78c19129b196cb9eb6bb79bd101332c81dc485206331a565e676d9f
Instruction ID: 06a431e2f71295f3cf74ce3459a4c9929c263c6d1c003fd68c505121db66fcab
Opcode Fuzzy Hash: 204e51b4f78c19129b196cb9eb6bb79bd101332c81dc485206331a565e676d9f
Instruction Fuzzy Hash: AB015A7114120AEFDB228F64EC88AEB3FACEF14394B004536F845D6120D335D964DFA5

Function 00405E88 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Function 0250120C Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

LoadImageA.USER32(00000000), ref: 025012CB
GetLastError.KERNEL32 ref: 025013D2

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: ErrorImageLastLoad
String ID:
API String ID: 2189606529-0
Opcode ID: 283fbd6495544bb8067e48c2dc8201a665fd3f218e3d3bd90195c19143ab8206
Instruction ID: 23e0445fbd10fd6e0c4458adf797dd9fd7311219e7a135b3f029cd36316fddaf
Opcode Fuzzy Hash: 283fbd6495544bb8067e48c2dc8201a665fd3f218e3d3bd90195c19143ab8206
Instruction Fuzzy Hash: 06516DB2D006059BDB20EFA4ECD5BA97B65FB84354F208C2ADA08EB284D7349494DF5D

Function 0040573A Relevance: 3.0, APIs: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00002000,004032AA,00442EA0,NSIS Error), ref: 00405B73

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,0043BCA8,00000000,00405751,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

lstrlenA.KERNEL32(0043BCA8,00000000,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 0040578D
GetFileAttributesA.KERNELBASE(0043BCA8,0043BCA8,0043BCA8,0043BCA8,0043BCA8,0043BCA8,00000000,0043BCA8,0043BCA8,?,?,74DF2EE0,0040549F,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,74DF2EE0), ref: 0040579D

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: bbf9c2a4c7a9848b14ccf845bd5e395f523b7c3fb69d62b914034bef7f348fd8
Instruction ID: 0812166c8b496666587ca5d03f38fde26ec08608c69b0591fb7618eaa3d9f744
Opcode Fuzzy Hash: bbf9c2a4c7a9848b14ccf845bd5e395f523b7c3fb69d62b914034bef7f348fd8
Instruction Fuzzy Hash: C9F0C225105D509AC726373A5C09EAF1A55CE873A4F180A3FF894B32D1DB3C8943EDAE

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4867a7ac09fc69c5be383e70d71a49da0db6d857fdd3f63813c45ff4234f607f
Instruction ID: 260ece8b11c67a0547d38148548bb69d3a72b9e094467d57d573f0264d123cd5
Opcode Fuzzy Hash: 4867a7ac09fc69c5be383e70d71a49da0db6d857fdd3f63813c45ff4234f607f
Instruction Fuzzy Hash: EF0128316242219BE7195B399E04B2A36D9E712314F24423FF855F72F1D6B8DC02DB4D

Function 00402866 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,?), ref: 00402875
InvalidateRect.USER32(?), ref: 00402885

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: fe5d62905ff904b06b667de19638afdd23f1a4194226e5edc5a3f72ad26ed6dd
Instruction ID: 24f90174686c9b3cd20c076e36aa4b559fc68d02f4454c5cfe24fb6f4ce72024
Opcode Fuzzy Hash: fe5d62905ff904b06b667de19638afdd23f1a4194226e5edc5a3f72ad26ed6dd
Instruction Fuzzy Hash: CBE08C72A00104AFDB00DB94FE859AEBBBAEB40359B10007AF201F00A0D2711D00CA28

Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
EnableWindow.USER32(00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 1a4ba173b2ab926010c6fd7e079550169295c22d01dc646cb7fa1dd7a7391512
Instruction ID: 61dcf640407b65e998d28dbe3df77c1067fac425532fadd3a93478c567a596b8
Opcode Fuzzy Hash: 1a4ba173b2ab926010c6fd7e079550169295c22d01dc646cb7fa1dd7a7391512
Instruction Fuzzy Hash: 63E0C276A08210DBD710FBB4AE899AE7664DB413A9B10453BF503F20C1D2B89C8096EE

Function 0040583D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,0047D000,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Function 0040581E Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Function 06D91DD9 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(06D91054,?,?,?,06D91054,?), ref: 06D91E06
GlobalFree.KERNELBASE ref: 06D91E16

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: eb2d6a14ab28a1cc0a0b691d1d260b2340328e4fa96d85d9886e24a2e3cb529f
Instruction ID: f7a6da1bf8b53d353f55f66357d74b2ce0848a546a4a593a2f03360d3503af66
Opcode Fuzzy Hash: eb2d6a14ab28a1cc0a0b691d1d260b2340328e4fa96d85d9886e24a2e3cb529f
Instruction Fuzzy Hash: BFF01532A15212DFDBA2CF25EC54A6777EABF48784B158829F986C7350D330E814CBB0

Function 004031BF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,0041BC40,00413C40,004030C4,0041BC40,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Function 00403208 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(00479000,00000000,00479000,00479000,00479000,00000000,00403386), ref: 00403229

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: 11ac191fccc5bbc9840a496eb92e8966bc42d1118a3597eec2c2256fb95cb988
Instruction ID: be85e933f5554b091e9989970333af42224d3bace8f0b1f193a31a6a85193b6d
Opcode Fuzzy Hash: 11ac191fccc5bbc9840a496eb92e8966bc42d1118a3597eec2c2256fb95cb988
Instruction Fuzzy Hash: A0D0C92255AE3031C652323A3C06FDF092C9F1272AF55887BF908B40D54B6C1E4289EE

Function 02502930 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(0250404C,00000004,00000040,0250403C), ref: 0250294E

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f37c672921ec2c3d57da210c593d7d55d70a988a17ac0fcb4b647c61cf545c8a
Instruction ID: 54200ce162f973dd73a793272abab6f0af911a43fbbc082fbea0b456ee0607d9
Opcode Fuzzy Hash: f37c672921ec2c3d57da210c593d7d55d70a988a17ac0fcb4b647c61cf545c8a
Instruction Fuzzy Hash: A2E0A5B1D85340DEE360DF68ACE5F213FE4B394745B018C2AE748FA289E3744068AB19

Function 00403F18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00403F32

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: a4344885837872da06a0b73f422c0a40da7d5145ed9eee0f172373294b1062d3
Instruction ID: 32956ba5a052c000d200729fffd4f2c944d874cb1110b62223aa4bdd109d9e57
Opcode Fuzzy Hash: a4344885837872da06a0b73f422c0a40da7d5145ed9eee0f172373294b1062d3
Instruction Fuzzy Hash: E4C08C31048200BFD241AB04CC42F1FB3A8EFA0327F00C92EB05CE00D2C634D420CE2A

Function 00403F4D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 12ae83ab391e7f369246a6127affb34c56c806e6816565e8b22517892e1e56d9
Instruction ID: 67ca0023b821b57991502e48ebf3819f4b95a9644f5fb617973bfda0dd74b738
Opcode Fuzzy Hash: 12ae83ab391e7f369246a6127affb34c56c806e6816565e8b22517892e1e56d9
Instruction Fuzzy Hash: 0AB0127E6C5201BFDF115B10DE09F467EA2E765701F018074B304240F0C7F200A1DB0A

Function 004031F1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Function 02501541 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,02501577,?,?,02501804,?,02501017), ref: 02501549

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 8317b1501e94243feb8c4e4801db4455bc10d5016c7f80d0279bc465d5597396
Instruction ID: 1ed5e072de67feb1c51877864b679c722c08404086633ca3ce2f4a8d4ae3428f
Opcode Fuzzy Hash: 8317b1501e94243feb8c4e4801db4455bc10d5016c7f80d0279bc465d5597396
Instruction Fuzzy Hash: C7A00172D81180AADE416E90ADAAF653A21A744701F114880A7196909896650078AA19

Non-executed Functions

Function 10001529 Relevance: 72.1, APIs: 38, Strings: 3, Instructions: 360windowstringprocessCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 1000153B
lstrlenA.KERNEL32(?), ref: 100015D6
lstrlenA.KERNEL32(?), ref: 100015DE
GlobalAlloc.KERNEL32(00000040,?), ref: 100015F9
wsprintfA.USER32 ref: 10001635
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 10001671
GetLastError.KERNEL32 ref: 10001682

Part of subcall function 10001438: GetDlgItem.USER32(?,00000001), ref: 10001477
Part of subcall function 10001438: EnableWindow.USER32(00000000), ref: 1000147A

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00FFFFFF), ref: 100016A7
lstrlenA.KERNEL32(?), ref: 100016B7
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000002,00FFFFFF), ref: 100016DB
GetDlgItem.USER32(?,000003EC), ref: 100016F9
SendMessageW.USER32(00000000), ref: 10001702
GetDlgItem.USER32(?,000003ED), ref: 1000171A
SendMessageW.USER32(00000000), ref: 1000171D
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,?,00000000,00000000,00000000,00000044,?), ref: 10001771
GetLastError.KERNEL32 ref: 10001785
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,00000000), ref: 100017BA
MessageBoxA.USER32(?,?,00000000,00000030), ref: 100017D2
LocalFree.KERNEL32(?), ref: 100017DB
GetLastError.KERNEL32 ref: 100017E3
GlobalFree.KERNEL32(?), ref: 100017EF
CloseHandle.KERNEL32(?), ref: 100017F8
EndDialog.USER32(?,-00000001), ref: 1000181C
SetWindowLongA.USER32(?,000000EB,?), ref: 10001841
GetDlgItem.USER32(?,000003EC), ref: 10001860
SendMessageA.USER32(00000000), ref: 10001869
GetDlgItem.USER32(?,000003ED), ref: 1000187E
SendMessageA.USER32(00000000), ref: 10001881
LoadLibraryA.KERNEL32(SHELL32), ref: 10001888
LoadImageA.USER32(00000000,000000C2,00000001,00000020,00000020,00008000), ref: 1000189F
GetDlgItem.USER32(?,000003EA), ref: 100018B4
SendMessageA.USER32(00000000), ref: 100018B7
SendMessageA.USER32(?,0000000C,00000000), ref: 100018C5
GetDlgItem.USER32(?,000003EB), ref: 100018D8
SendMessageA.USER32(00000000), ref: 100018DB
GetDlgItem.USER32(?,000003E9), ref: 100018FC
SendMessageA.USER32(00000000), ref: 100018FF
DestroyWindow.USER32(?), ref: 1000191B

Strings

SHELL32, xrefs: 10001883
%s%s%s, xrefs: 1000162D
D, xrefs: 1000164E

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Message$ItemSend$Window$ErrorLastlstrlen$ByteCharCreateFreeGlobalLoadLongMultiProcessWide$AllocCloseDestroyDialogEnableFormatHandleImageLibraryLocalLogonWithwsprintf
String ID: %s%s%s$D$SHELL32
API String ID: 1952459550-1920488832
Opcode ID: 34574b97fe99c8b919390515d22d94bd774024d7b160c7d6c717a4e01c56865c
Instruction ID: 1d93073d208240e81b43fb16ae61215ed39919340965964d5039d90bf4136bbf
Opcode Fuzzy Hash: 34574b97fe99c8b919390515d22d94bd774024d7b160c7d6c717a4e01c56865c
Instruction Fuzzy Hash: C3C17C71500259BFFB11DFA0CC84EEE7BBAEB487D0F114125FA05AB1A8DA719E41DB60

Function 00404853 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 0040486A
GetDlgItem.USER32(?,00000408), ref: 00404877
GlobalAlloc.KERNEL32(00000040,?), ref: 004048C3
LoadBitmapA.USER32(0000006E), ref: 004048D6
SetWindowLongA.USER32(?,000000FC,00404E54), ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32(?,00001109,00000002), ref: 0040492D
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404939
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040497B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404987
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A1C
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A47
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A5B
GetWindowLongA.USER32(?,000000F0), ref: 00404A8A
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404BAC
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404C11
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404C26
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C4A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32(?), ref: 00404C95
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404D05
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404DAE
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32(?,000003FE), ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

, xrefs: 00404E15
N, xrefs: 00404AE7
M, xrefs: 00404A03

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dd0d6839c3c6646c8d4c621fd332aa66db5d69425e8e435e4a889b0b6d183c2e
Instruction ID: 1183d6f7a9f832480c2a2c99bd38156e4ec5938e1fe9ffba5ec1c0e4999ab2b0
Opcode Fuzzy Hash: dd0d6839c3c6646c8d4c621fd332aa66db5d69425e8e435e4a889b0b6d183c2e
Instruction Fuzzy Hash: 8A029CB0D00209AFEB11CF65DD45AAE7BB5FB85314F10817AF610BA2E1C7B99A41CF58

Function 100012B3 Relevance: 31.6, APIs: 7, Strings: 11, Instructions: 111stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(10000000,?,00000208,00000000), ref: 100012CF
lstrcatA.KERNEL32(?,lng,75C08FB0,75BF3EB0), ref: 100012F5

Part of subcall function 10001247: GetPrivateProfileStringA.KERNEL32(MyRunAsStrings,000000FF,00000000,?,00000208,?), ref: 10001269

Part of subcall function 10001247: SendMessageA.USER32(00000000), ref: 100012A9

Part of subcall function 10001247: GetDlgItem.USER32(?,000000FF), ref: 100012A2

GetDlgItem.USER32(?,000003E8), ref: 100013B8
GetPrivateProfileIntA.KERNEL32(MyRunAsCfg,DisableCurrUserOpt,00000000,?), ref: 100013DA
EnableWindow.USER32(?,00000000), ref: 100013E4
GetPrivateProfileIntA.KERNEL32(MyRunAsCfg,HideCurrUserOpt,00000000,?), ref: 100013F8
ShowWindow.USER32(?,00000000), ref: 10001404

Strings

Cancel, xrefs: 100013AC
HelpText, xrefs: 10001321
MyRunAsCfg, xrefs: 100013CD, 100013D9, 100013F7
DisableCurrUserOpt, xrefs: 100013D4
OptOtherUser, xrefs: 10001352
DlgTitle, xrefs: 10001309
lng, xrefs: 100012EF
Pwd, xrefs: 10001382
HideCurrUserOpt, xrefs: 100013F2
Username, xrefs: 1000136A
OptCurrUser, xrefs: 1000133A

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: PrivateProfile$ItemWindow$EnableFileMessageModuleNameSendShowStringlstrcat
String ID: Cancel$DisableCurrUserOpt$DlgTitle$HelpText$HideCurrUserOpt$MyRunAsCfg$OptCurrUser$OptOtherUser$Pwd$Username$lng
API String ID: 1739871576-1606624064
Opcode ID: c67b67cf6b72c09f04141cf3aac40c1a9f776453504d2503a71c961c2ab33eb0
Instruction ID: 5a0fd6d5bb8fd049567e080151ef1adc3634c16aa54309ef99e1a2fef023288f
Opcode Fuzzy Hash: c67b67cf6b72c09f04141cf3aac40c1a9f776453504d2503a71c961c2ab33eb0
Instruction Fuzzy Hash: 5A3170B94002187FF711D791CC89EFB7A7CDB966C0F010155F654E209ADF20AE808A71

Function 6E5D22C0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

_memset.LIBCMT ref: 6E5D22F6
_TranslateName.LIBCMT ref: 6E5D2341
_TranslateName.LIBCMT ref: 6E5D238C
GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 6E5D23D9

Part of subcall function 6E5C53F2: _GetTableIndexFromLcid.LIBCMT ref: 6E5C541F
Part of subcall function 6E5C53F2: _wcsnlen.LIBCMT ref: 6E5C5433

IsValidCodePage.KERNEL32(00000000), ref: 6E5D242D
IsValidLocale.KERNEL32(?,00000001), ref: 6E5D2440
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 6E5D2493
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 6E5D24AA
__itow_s.LIBCMT ref: 6E5D24BC

Part of subcall function 6E5D484F: _xtow_s@20.LIBCMT ref: 6E5D4871

Strings

D^nU, xrefs: 6E5D233C

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Locale$InfoNameTranslateValid$CodeDefaultFromIndexLcidPageTableUser__amsg_exit__getptd_noexit__itow_s_memset_wcsnlen_xtow_s@20
String ID: D^nU
API String ID: 2025796856-526791073
Opcode ID: a1dd878d5842217aefdb2ebc2e17948d8c64826913ef5d8e77faf28a0f2daad7
Instruction ID: 28bfcc56a8743120fd5b1027e5d4428f9d5085c997ad9086bfeeb0e86ac4e41c
Opcode Fuzzy Hash: a1dd878d5842217aefdb2ebc2e17948d8c64826913ef5d8e77faf28a0f2daad7
Instruction Fuzzy Hash: BE51607590021AEBEB41DFECCC90AFE77ECEF05704F00496AE955DB184EB7099488B69

Function 10001164 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74windowlibraryCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000,?), ref: 100011A9
wsprintfA.USER32 ref: 100011D8
GetDlgItem.USER32(?,000003E8), ref: 100011FA
SendMessageA.USER32(00000000), ref: 10001203
LoadLibraryA.KERNEL32(SHELL32,00005503,00000000,00000204), ref: 10001217
LoadStringA.USER32(00000000), ref: 1000121E
GetDlgItem.USER32(?,000003EC), ref: 1000123B
SendMessageA.USER32(00000000), ref: 1000123E

Strings

SHELL32, xrefs: 10001212

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: ItemLoadMessageSend$LibraryNameStringUserwsprintf
String ID: SHELL32
API String ID: 970484078-1756878077
Opcode ID: 57a7222d8989f161ee214d83118e8bd9a4413ca5da9ba2a1efdb7cf0cd9ecf79
Instruction ID: 647adecb5b77344e9641148cbd41eb027d92ab1218214b8878e9f8efa4f0453c
Opcode Fuzzy Hash: 57a7222d8989f161ee214d83118e8bd9a4413ca5da9ba2a1efdb7cf0cd9ecf79
Instruction Fuzzy Hash: 03214CB1900268ABFB11EB90CC89FDF7BBCEB04785F004195F754E61A6DB709E848B64

Function 6E5D21AB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E5D21C2
_wcscmp.LIBCMT ref: 6E5D21D3
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6E5D2405,?,00000000), ref: 6E5D21EF
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6E5D2405,?,00000000), ref: 6E5D2219

Strings

ACP, xrefs: 6E5D21BC
OCP, xrefs: 6E5D21CD

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 594b6fa9ee56981ed078ffaf1ba668886877028615b6167003ea8e1d6af961d6
Instruction ID: d20fa96184b3dc99383821352ecd4791c03b644a907f63af612ce3bd59f0b846
Opcode Fuzzy Hash: 594b6fa9ee56981ed078ffaf1ba668886877028615b6167003ea8e1d6af961d6
Instruction Fuzzy Hash: 0301B536209506AAEB419FDDEC00FD737E8AF02765B00C415F618DB091EB70D588979D

Function 10002F22 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(000000FF,00000028,?,00000000,?,?,1000238F,SeDebugPrivilege,00000001,?), ref: 10002F36
LookupPrivilegeValueA.ADVAPI32(00000000,00000010,?), ref: 10002F4F
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000001,00000010), ref: 10002F7F
GetLastError.KERNEL32 ref: 10002F8B
CloseHandle.KERNEL32(?,?,?,1000238F,SeDebugPrivilege), ref: 10002FAC

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Token$AdjustCloseErrorHandleLastLookupOpenPrivilegePrivilegesProcessValue
String ID:
API String ID: 379965542-0
Opcode ID: ea75d512c8d60668871e854bdf4281ff2e21e264b9bbcfff9d41e9c086985a66
Instruction ID: bd85016692142ef6ea7efd5700280bb8306efffd53f88ef5a6bafc971b69a3c0
Opcode Fuzzy Hash: ea75d512c8d60668871e854bdf4281ff2e21e264b9bbcfff9d41e9c086985a66
Instruction Fuzzy Hash: 86111CB5A0020AEFEB01CFE5CC85AEEBBB8EB04385F104535E501D2194D7B4DA849B60

Function 6E5D1E90 Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 6E5D1EE9
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 6E5D1F36
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 6E5D1FE6

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocale$__amsg_exit__getptd_noexit
String ID:
API String ID: 41668988-0
Opcode ID: 181b70e6997908da4c0e6f9cad031c3db22b8dcb1e6eb2232e6409bec85c0bf4
Instruction ID: 75f9195fdcc6a24a50688af18f1381e8112b9d5b25d83be37e265b5bbf08f57b
Opcode Fuzzy Hash: 181b70e6997908da4c0e6f9cad031c3db22b8dcb1e6eb2232e6409bec85c0bf4
Instruction Fuzzy Hash: 015100715142079FEB188FA8CA91BBAB7FCEF01715F108169E900CA184EB74D94CCB65

Function 6E5BE5BB Relevance: 6.1, APIs: 4, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 6E5BE5E2
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 6E5BE5FA
VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,0000001C), ref: 6E5BE651
VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 6E5BE666

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: b300a7fa29cfffa433ae9a89257ca866171fff1db4559fc1311daf0414ac6caa
Instruction ID: 957ec7f601ecad7843f147331efc47eaacd3815545f87e26032dcd69ecfcc882
Opcode Fuzzy Hash: b300a7fa29cfffa433ae9a89257ca866171fff1db4559fc1311daf0414ac6caa
Instruction Fuzzy Hash: 36215A72A0011AABDF10CFE5DC98AEFB7FCAB45794B0504A5E915E7240EF74A9048BA1

Function 6E5B1ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 6E5B1F1D
swprintf.LIBCMT ref: 6E5B1F5C

Part of subcall function 6E5A49EE: GlobalAlloc.KERNEL32(00000040,?,?,?,6E5B184C), ref: 6E5A4A06
Part of subcall function 6E5A49EE: lstrcpynA.KERNEL32(00000004,00000000,?,?,6E5B184C), ref: 6E5A4A19

Strings

%04i-%02i-%02iT%02i:%02i:%02iZ, xrefs: 6E5B1F51

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AllocGlobalSystemTimelstrcpynswprintf
String ID: %04i-%02i-%02iT%02i:%02i:%02iZ
API String ID: 3638968448-3458534206
Opcode ID: 1feb306261c41829c146babfe9ff42e56709b80a8c4a27cc51d0979247d0db43
Instruction ID: 55f73140a2351c26d7a39c312c0634a3c9ce3fb3c684ef333e4a1937a7595c3f
Opcode Fuzzy Hash: 1feb306261c41829c146babfe9ff42e56709b80a8c4a27cc51d0979247d0db43
Instruction Fuzzy Hash: 2311C5B5900609AFCF50DFE8C945AEE77F8EB0C605F51445AFA45E6280EB38ED44CB60

Function 6E5D1D90 Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

_GetPrimaryLen.LIBCMT ref: 6E5D1DDB
EnumSystemLocalesW.KERNEL32(6E5D1E90,00000001,000000A0,?,?,6E5D23AE,00000000,?,?,?,?,?,00000055), ref: 6E5D1DEB

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
String ID:
API String ID: 3487593440-0
Opcode ID: 7ec54ca605482b4de65fc97f825d7d7388086f864f57dd2d6aafca216db73fb0
Instruction ID: 22d7e6a23ad237fd4688445ee42926da05426d16be9cd1b327246eaf95089e6a
Opcode Fuzzy Hash: 7ec54ca605482b4de65fc97f825d7d7388086f864f57dd2d6aafca216db73fb0
Instruction Fuzzy Hash: 1801F232450307DFEB209FF8D605BA5BBE8EF41B26F104D2DE19A86180D7B8A05CCB84

Function 6E5D2258 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6E5D2052,00000000,00000000,?), ref: 6E5D2282
_GetPrimaryLen.LIBCMT ref: 6E5D22A1

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocalePrimary__amsg_exit__getptd_noexit
String ID:
API String ID: 2554324226-0
Opcode ID: 5511a3c34a944089e6fcc3298f9b16bbc603e18e11e17fe52d84437b9c4e3d26
Instruction ID: 829a124fc324367e8826fcd113092a4efa45902a2056e3811b515fc023fbbdd2
Opcode Fuzzy Hash: 5511a3c34a944089e6fcc3298f9b16bbc603e18e11e17fe52d84437b9c4e3d26
Instruction Fuzzy Hash: FDF02B36A10105BBEF4456F8DC11BEA77DCEB81758F00443AFA15E3040EB70E90486A4

Function 6E5D1E0D Relevance: 3.0, APIs: 2, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

_GetPrimaryLen.LIBCMT ref: 6E5D1E3F
EnumSystemLocalesW.KERNEL32(6E5D2083,00000001,?,?,6E5D2378,6E5CA270,?,?,00000055,?,?,6E5CA270,?,?,?), ref: 6E5D1E52

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
String ID:
API String ID: 3487593440-0
Opcode ID: d91b22c66f1fad38e5a7d9e4b56529ad6b4686b80bf341f6efe65b8a0ca70834
Instruction ID: 81a87a2bffbe432190125d53aef771ff8ca27dc63e4ddc71f911d9cb662f0252
Opcode Fuzzy Hash: d91b22c66f1fad38e5a7d9e4b56529ad6b4686b80bf341f6efe65b8a0ca70834
Instruction Fuzzy Hash: E3F0E572964305EEEB115FF8E804FE77FDDDF42B24F104C19E5898A181DB715C4886A9

Function 6E5C5141 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,6E5B176E,6E5C58FF,6E5B1446,?,?,00000001), ref: 6E5C5146
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 6E5C514F

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 64ad686024f2e45ca583e3d29565064e3710100caf86570c549148d25abad043
Instruction ID: be482163359cdc42a4d46a47b438b3e6f0e81bc32b6dd7ef1896eb773ac735c8
Opcode Fuzzy Hash: 64ad686024f2e45ca583e3d29565064e3710100caf86570c549148d25abad043
Instruction Fuzzy Hash: 89B09231044608BBCE002BE1D809B8A3F28EB0A692F010410F60D440528F6254508A9A

Function 6E5D2083 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 6E5D20DC

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocale__amsg_exit__getptd_noexit
String ID:
API String ID: 3113341244-0
Opcode ID: eb911e20ee990039cf972578bbca375e951f08119519c2471cd2efdc6b4706ff
Instruction ID: 93356634e25e639a8002ab3c67ab1e85062d70a41ed22ca5f5a71ff0cb045232
Opcode Fuzzy Hash: eb911e20ee990039cf972578bbca375e951f08119519c2471cd2efdc6b4706ff
Instruction Fuzzy Hash: AF210032910206AFDB048FE8D850BFB33ECEF81718F00817AEA04C7080EB749949CB69

Function 6E5D1CA2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0,6E5CA277,00000000,6E5CA397), ref: 6E5D1CFA

Strings

D^nU, xrefs: 6E5D1B1B

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocale__amsg_exit__getptd_noexit
String ID: D^nU
API String ID: 3113341244-526791073
Opcode ID: fced7f199df78ac141993417c4681a8f2fdee6f0b1af612bd8a50913c40cb090
Instruction ID: 1e0c0bf98eec673ad85b853bb742d2833959796fb841e20531e406feed8ab61d
Opcode Fuzzy Hash: fced7f199df78ac141993417c4681a8f2fdee6f0b1af612bd8a50913c40cb090
Instruction Fuzzy Hash: 35F0A472610205ABC7089BF8C855AFA33EC9B85719F01057DE641D7180EB745D058769

Function 6E5C54AC Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(6E5C5498,00000001,?,6E5D1628,6E5D16C6,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 6E5C54DA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: eb996cce7584a035f2a450be07a9e4d8d5df360cf7988da65e252b9121de8712
Instruction ID: 3a8c434d0a6f6e89a1bc8201082a2ff75775ff5f3ec6875c8052f504ebee4823
Opcode Fuzzy Hash: eb996cce7584a035f2a450be07a9e4d8d5df360cf7988da65e252b9121de8712
Instruction Fuzzy Hash: 6BE04631150708ABDF12CFE4CC82B593BE4BB06702F424404F60C8A151CB71A0608B45

Function 6E5C54E9 Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000000,00000002,?,?,6E5C6285,?,?,?,00000002,00000000,00000000,00000000), ref: 6E5C5510

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b01c2568af5531964bf9c527b77cd51c75b6d1ea8ef587b8c996b576af5292f6
Instruction ID: c434efedb2890f27a252eff75d1e3a71b5b5ce8610ecc980162050aae4d01868
Opcode Fuzzy Hash: b01c2568af5531964bf9c527b77cd51c75b6d1ea8ef587b8c996b576af5292f6
Instruction Fuzzy Hash: A1D06772010609BFCF019FE0E855CAA3BA9FB89615B494849F91886510DF32A5209B62

Function 00405042 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004050A1
GetDlgItem.USER32(?,000003EE), ref: 004050B0
GetClientRect.USER32(?,?), ref: 004050ED
GetSystemMetrics.USER32(00000015), ref: 004050F5
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405116
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405127
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040513A
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405148
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32(?,000003EC), ref: 004051B2
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004051C2
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004051DB
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004051E7
GetDlgItem.USER32(?,000003F8), ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32(00000028,?,00000001,00403D7E), ref: 00403F5B

GetDlgItem.USER32(?,000003EC), ref: 00405204
CreateThread.KERNEL32(00000000,00000000,Function_00004FD6,00000000), ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(?,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004052E1
GetWindowRect.USER32(?,?), ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32 ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32(00000000), ref: 0040537C
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405390
GlobalUnlock.KERNEL32(00000000), ref: 004053A8
SetClipboardData.USER32(00000001,00000000), ref: 004053B3
CloseClipboard.USER32 ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: f9dd1ec61b611cb119bd1a7c58ba16ca99272bb36659aa2dbc47dc2bbe41bde8
Instruction ID: d5cc792025810b1fa5c52fd71f17093da58624e5fcdd428af89ce0e6d8bd8183
Opcode Fuzzy Hash: f9dd1ec61b611cb119bd1a7c58ba16ca99272bb36659aa2dbc47dc2bbe41bde8
Instruction Fuzzy Hash: 21A15870804208FFDB119FA0DD89AAE3F79FB04354F10417AFA05BA2A0C7B55A41DF59

Function 6E5A3F77 Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 326comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A3F81
CoInitialize.OLE32(00000000), ref: 6E5A3FAC
CoUninitialize.OLE32 ref: 6E5A3FB8
_sprintf.LIBCMT ref: 6E5A3FCB
CoCreateInstance.OLE32(6E5E119C,00000000,00000001,6E5E0F8C,00000000), ref: 6E5A400F
CoUninitialize.OLE32 ref: 6E5A401B
VariantInit.OLEAUT32(?), ref: 6E5A4036
VariantInit.OLEAUT32(?), ref: 6E5A404F
VariantInit.OLEAUT32(?), ref: 6E5A4068
VariantInit.OLEAUT32(?), ref: 6E5A4081
VariantClear.OLEAUT32(?), ref: 6E5A40DE
VariantClear.OLEAUT32(?), ref: 6E5A40E7
VariantClear.OLEAUT32(?), ref: 6E5A40F0
VariantClear.OLEAUT32(?), ref: 6E5A40FD
CoUninitialize.OLE32 ref: 6E5A4103
_sprintf.LIBCMT ref: 6E5A4116
CoUninitialize.OLE32 ref: 6E5A4195
CoUninitialize.OLE32 ref: 6E5A41CE
CoUninitialize.OLE32 ref: 6E5A4201
VariantClear.OLEAUT32(?), ref: 6E5A4264
_free.LIBCMT ref: 6E5A42F7
SysFreeString.OLEAUT32(00000000), ref: 6E5A4303

Strings

Cannot get the registered task item at index=%d: %x, xrefs: 6E5A434E
Failed Initialize COM: %x, xrefs: 6E5A3FBF
Failed Initialize Create TaskScheduler Com Instance: %x, xrefs: 6E5A4022
Cannot get the registered tasks, xrefs: 6E5A41D4
Found 0 Tasks, xrefs: 6E5A4207
Failed to get Root folder pointer, xrefs: 6E5A419B
Failed Initialize COM security: %x, xrefs: 6E5A4110
Cannot get the registered task name, xrefs: 6E5A430B

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Variant$Uninitialize$Clear$Init$_sprintf$CreateFreeH_prolog3_InitializeInstanceString_free
String ID: Cannot get the registered task item at index=%d: %x$Cannot get the registered task name$Cannot get the registered tasks$Failed Initialize COM security: %x$Failed Initialize COM: %x$Failed Initialize Create TaskScheduler Com Instance: %x$Failed to get Root folder pointer$Found 0 Tasks
API String ID: 1180555890-629245218
Opcode ID: 8d6ef795391421a7217c7f994574c28bb8e030b8c426267434735258790e65a4
Instruction ID: a7714b0b78244ea61ce162a0862ad81c9dcdb0ab16546cf6b927c8c4f02408af
Opcode Fuzzy Hash: 8d6ef795391421a7217c7f994574c28bb8e030b8c426267434735258790e65a4
Instruction Fuzzy Hash: 06D148719001299BCB61DFE8CD84BDEB7B9AF49304F0044D9EA09AB241DB719F89CF91

Function 00404060 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32(00000000,000003E8), ref: 004040FF
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040413D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404164
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404173
GetDlgItem.USER32(?,0000040A), ref: 004041D6
SendMessageA.USER32(00000000), ref: 004041D9
GetDlgItem.USER32(?,000003E8), ref: 00404204
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404244
LoadCursorA.USER32(00000000,00007F02), ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@C,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32(00000000,00007F00), ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32(00000111,00000001,00000000), ref: 004042AB
SendMessageA.USER32(00000010,00000000,00000000), ref: 004042BF

Strings

open, xrefs: 00404267
N, xrefs: 004041F2
@C, xrefs: 00404264

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @C$N$open
API String ID: 3615053054-560641889
Opcode ID: 7eb73afa992198c4f98a95f14df475cedb7533b9faad63bc5bef38095aed9e24
Instruction ID: 3a1959b9348cc4f2966bed60e082faf824cb7eb55f7dfb2b2a637252ef2f0b8f
Opcode Fuzzy Hash: 7eb73afa992198c4f98a95f14df475cedb7533b9faad63bc5bef38095aed9e24
Instruction Fuzzy Hash: 4F61BFB1A40309BFEB109F60DC45F6A3B69FB44755F10807AFB04BA2D1C7B8A951CB99

Function 10001C51 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 84windowstringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,0000001E), ref: 10001C8B
lstrcmpiA.KERNEL32(?,#32770), ref: 10001C96
IsWindowVisible.USER32 ref: 10001CAA
GetWindowLongA.USER32(?,000000EC), ref: 10001CBA
SetWindowLongA.USER32(?,000000EC,00000000), ref: 10001CC9
SetForegroundWindow.USER32(?), ref: 10001CD2
GetDlgItem.USER32(?,00000105), ref: 10001CEC
GetClassNameA.USER32(00000000), ref: 10001CEF
lstrcmpiA.KERNEL32(?,SysCredential), ref: 10001CFA
GetDlgItem.USER32(?,00000106), ref: 10001D16
SendMessageA.USER32(00000000), ref: 10001D1F
GetDlgItem.USER32(?,00000104), ref: 10001D33
SendMessageA.USER32(00000000), ref: 10001D36
CallNextHookEx.USER32(00000000,?,?), ref: 10001D45

Strings

#32770, xrefs: 10001C90
SysCredential, xrefs: 10001CF4

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Window$Item$ClassLongMessageNameSendlstrcmpi$CallForegroundHookNextVisible
String ID: #32770$SysCredential
API String ID: 898850336-2483313885
Opcode ID: bc5a4a3c7dfef6ba79154aa31c7bb68ed6e3f59c4a469a5e385da3355d7c1385
Instruction ID: c26e0e65b24013f7fb045945b6ce819b1870cb7cba784f0436b3eee35e59ed1c
Opcode Fuzzy Hash: bc5a4a3c7dfef6ba79154aa31c7bb68ed6e3f59c4a469a5e385da3355d7c1385
Instruction Fuzzy Hash: EE213971640359ABFB20AFA1CC89FEA77BCEF48781F010919F751A60A4D7B4E9449B24

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00442EA0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 055318d4bc47e4a764edf33350f334e63965e525b0f85424403fd80477bc7367
Instruction ID: ad11f47ad4c56fba0198c5e023b152b535431d91685ad324ade778771994e4e2
Opcode Fuzzy Hash: 055318d4bc47e4a764edf33350f334e63965e525b0f85424403fd80477bc7367
Instruction Fuzzy Hash: 68419A72804249AFCB058FA5CD459BFBBB9FF45314F00812AF951AA1A0C778AA50DFA5

Function 06D910EF Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 112stringCOMMON

Download Yara Rule

APIs

Part of subcall function 06D91DD9: lstrcpynA.KERNEL32(06D91054,?,?,?,06D91054,?), ref: 06D91E06
Part of subcall function 06D91DD9: GlobalFree.KERNELBASE ref: 06D91E16

lstrcmpiA.KERNEL32(?,save), ref: 06D91168
GetFileAttributesA.KERNEL32(06D948A0), ref: 06D9117A
lstrcpyA.KERNEL32(06D94CA0,06D948A0), ref: 06D91193
lstrcpyA.KERNEL32(06D944A0,All Files|*.*), ref: 06D911B6
CharNextA.USER32(06D944A0), ref: 06D911D3
GetCurrentDirectoryA.KERNEL32(00000400,06D940A0), ref: 06D911E9
GetSaveFileNameA.COMDLG32(0000004C), ref: 06D911FD
GetOpenFileNameA.COMDLG32(0000004C), ref: 06D91205
CommDlgExtendedError.COMDLG32 ref: 06D9120B
GetSaveFileNameA.COMDLG32(0000004C), ref: 06D91227
GetOpenFileNameA.COMDLG32(0000004C), ref: 06D9122F
SetCurrentDirectoryA.KERNEL32(06D940A0,06D948A0), ref: 06D91247

Strings

All Files|*.*, xrefs: 06D911B0
save, xrefs: 06D91162
L, xrefs: 06D91135

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: File$Name$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedFreeGlobalNextlstrcmpilstrcpyn
String ID: All Files|*.*$L$save
API String ID: 3853173656-601108453
Opcode ID: 7856b16b826f9ef0434e509a071d83324290c94a31b7b0e483fb8a33f8dc0a81
Instruction ID: 855ecc98bab3210662c3339219f07fc80068a55b288fa6480c1be399ede4744c
Opcode Fuzzy Hash: 7856b16b826f9ef0434e509a071d83324290c94a31b7b0e483fb8a33f8dc0a81
Instruction Fuzzy Hash: 6241F574D01345BFDFA0AF66EC49B5A3FE9AB06318F410115E65EE6342C7B48809CBB0

Function 004058B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32(?,0043E630,00000400), ref: 0040590A
GetShortPathNameA.KERNEL32(00000000,0043E0A8,00000400), ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,0043E0A8,C0000000,00000004,0043E0A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0043DCA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32(00000000), ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

%s=%s, xrefs: 0040593B
[Rename], xrefs: 004059B5, 004059C7
0C, xrefs: 004058EF

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0C$[Rename]
API String ID: 3772915668-2466990604
Opcode ID: 0cba16278340fcd60d1fa59ff28b3b53525deda11aae3c5a7c4788638b26bb93
Instruction ID: e4acf15c9d64fbf53db5c011c469a52faadac1e9922c4ea510687d497f36d3fc
Opcode Fuzzy Hash: 0cba16278340fcd60d1fa59ff28b3b53525deda11aae3c5a7c4788638b26bb93
Instruction Fuzzy Hash: AF410231605B01ABE3207B619C89F6B3A5CEF85715F140136FE05F22D2E678A801CEBE

Function 02501D3B Relevance: 21.5, APIs: 14, Instructions: 499stringlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 02501541: GlobalAlloc.KERNELBASE(00000040,02501577,?,?,02501804,?,02501017), ref: 02501549

Part of subcall function 02501561: lstrcpyA.KERNEL32(00000000,?,?,?,02501804,?,02501017), ref: 0250157E
Part of subcall function 02501561: GlobalFree.KERNEL32 ref: 0250158F

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 02501E28
lstrcpyA.KERNEL32(00000008,?), ref: 02501E74
lstrcpyA.KERNEL32(00000408,?), ref: 02501E7E
GlobalFree.KERNEL32(00000000), ref: 02501E98
GlobalFree.KERNEL32(?), ref: 02501F80
GlobalFree.KERNEL32(?), ref: 02501F85
GlobalFree.KERNEL32(?), ref: 02501F8A
GlobalFree.KERNEL32(00000000), ref: 0250212C
lstrcpyA.KERNEL32(?,?), ref: 02502273
GetModuleHandleA.KERNEL32(00000008), ref: 025022DA
LoadLibraryA.KERNEL32(00000008), ref: 025022EB
GetProcAddress.KERNEL32(?,00000408), ref: 0250230E
lstrcatA.KERNEL32(00000408,02504024), ref: 02502320
GetProcAddress.KERNEL32(?,00000408), ref: 0250232D

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: Global$Free$lstrcpy$AddressAllocProc$HandleLibraryLoadModulelstrcat
String ID:
API String ID: 2432367840-0
Opcode ID: 2b41169dcd96f810183bfb80cf1aa08488d09e2ee93b3d69509bae27141c8e2b
Instruction ID: 35459f9c47d7b308c301182acf9d5435a86b85b7e3d4059473357f2718dff87e
Opcode Fuzzy Hash: 2b41169dcd96f810183bfb80cf1aa08488d09e2ee93b3d69509bae27141c8e2b
Instruction Fuzzy Hash: D7025C71D04A0ADFCB209FA8CCC87EDBBF4BB08304F54896AD56AE61C0D7749A45CB59

Function 00404356 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0042BC70,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(Show,00431CA0), ref: 004044C1
lstrcatA.KERNEL32(?,Show), ref: 004044CD
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32(?,?,00002000,00404510), ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(00429C68,?,?,0000040F,?,00429C68,00429C68,?,00000000,00429C68,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32(00000000,00000400,00429C58), ref: 0040462A

Strings

Show, xrefs: 004044BB, 004044C0, 004044CB
A, xrefs: 0040447D

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$Show
API String ID: 2246997448-4076820621
Opcode ID: 3b5d6d58123ad3be4efc0fc18460bcaf2051817d57d9130af0bc9e59323d7d5d
Instruction ID: 837b9add0ee4c7fa7edda3a2cfc136c172d34a8f6a08fd8700377a4301a7160d
Opcode Fuzzy Hash: 3b5d6d58123ad3be4efc0fc18460bcaf2051817d57d9130af0bc9e59323d7d5d
Instruction Fuzzy Hash: 57917EB1900208ABDB11DFA2CD84AAF7BB8EF85354F10447BF604B62D1D77C9A419B69

Function 6E5A3D78 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A3D82
CoInitialize.OLE32(00000000), ref: 6E5A3DA7
_sprintf.LIBCMT ref: 6E5A3DBE
CoCreateInstance.OLE32(6E5DA43C,00000000,00000001,6E5DA42C,?), ref: 6E5A3DF3
CoUninitialize.OLE32 ref: 6E5A3E2A
_free.LIBCMT ref: 6E5A3EE6
CoTaskMemFree.OLE32(?,00000000,?,?,00000003), ref: 6E5A3EFB
CoTaskMemFree.OLE32(?), ref: 6E5A3F11
CoUninitialize.OLE32 ref: 6E5A3F43

Strings

Failed Initialize COM: %x, xrefs: 6E5A3DB2
Failed Initialize Create TaskScheduler Com Instance: %x, xrefs: 6E5A3DFE
Failed To Get Enumeration Object, xrefs: 6E5A3E30

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeTaskUninitialize$CreateH_prolog3_InitializeInstance_free_sprintf
String ID: Failed Initialize COM: %x$Failed Initialize Create TaskScheduler Com Instance: %x$Failed To Get Enumeration Object
API String ID: 3037062998-2724824746
Opcode ID: 10f8405d8890efd82589d2cd12eb902d7cc840be75178d286f143e979819ef9d
Instruction ID: e6e367d3c52d9f81a89584571276c827c2cdc25bf45a56f4d6ac7a688b3e7c78
Opcode Fuzzy Hash: 10f8405d8890efd82589d2cd12eb902d7cc840be75178d286f143e979819ef9d
Instruction Fuzzy Hash: BB512D70E001199BDB24DFA9CD94FEDB7B9AF58304F0084E9E609A7641EB705E89CF50

Function 1000203A Relevance: 19.7, APIs: 13, Instructions: 153windowCOMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(000000FF,00000000,?,00000006,00000000,00000000), ref: 100020B1
DuplicateHandle.KERNEL32(000000FF,?,?,?,00100002,00000000,00000000), ref: 100020E5
DestroyWindow.USER32(?), ref: 10002115
SendMessageA.USER32(?,00008005,00000000,00000000), ref: 1000212C
PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 10002137
GetWindowLongA.USER32(?,000000F0), ref: 10002144
SetForegroundWindow.USER32(?), ref: 10002154
ShowWindow.USER32(?,00000000), ref: 1000215F
PostMessageA.USER32(?,00008002,?,?), ref: 1000216E
ShowWindow.USER32(00000000), ref: 1000218D
DestroyWindow.USER32 ref: 10002199
DefWindowProcA.USER32(?,?,?,?), ref: 100021A9

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Window$Message$DestroyDuplicateHandlePostShow$ForegroundLongProcSend
String ID:
API String ID: 1417430255-0
Opcode ID: eae6238f62bcba03fcf7096643482a2d2d492833aea162d38a7964b38814e257
Instruction ID: 74c6bae19b8af0f634bdf56c16651beaf3ca8c8e6039be5ed8003dd7f4f1f71b
Opcode Fuzzy Hash: eae6238f62bcba03fcf7096643482a2d2d492833aea162d38a7964b38814e257
Instruction Fuzzy Hash: F6517A7110025AABFB15CFA4CD88EEA3BB5FB587C0F110124FA15D61ACDB718EA1DB20

Function 6E5ADCF3 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5ADCFA

Part of subcall function 6E5A1792: _memmove.LIBCMT ref: 6E5A189C

Part of subcall function 6E5A1792: __EH_prolog3.LIBCMT ref: 6E5A18E1

Part of subcall function 6E5A1792: _memmove.LIBCMT ref: 6E5A1802

Part of subcall function 6E5ACCEA: SysFreeString.OLEAUT32 ref: 6E5ACD1B

SysFreeString.OLEAUT32(?), ref: 6E5ADDE3
SysFreeString.OLEAUT32(?), ref: 6E5ADDE8
VariantInit.OLEAUT32(?), ref: 6E5ADE34
SysFreeString.OLEAUT32(?), ref: 6E5ADE71
VariantClear.OLEAUT32(?), ref: 6E5ADF16
VariantClear.OLEAUT32(?), ref: 6E5ADF6F
VariantClear.OLEAUT32(?), ref: 6E5ADF75

Part of subcall function 6E5A3A76: __EH_prolog3.LIBCMT ref: 6E5A3A7D

Part of subcall function 6E5A3B0A: InterlockedDecrement.KERNEL32(00000001), ref: 6E5A3B12
Part of subcall function 6E5A3B0A: SysFreeString.OLEAUT32 ref: 6E5A3B28

Strings

WQL, xrefs: 6E5ADDB1
SELECT , xrefs: 6E5ADD1D
FROM , xrefs: 6E5ADD45, 6E5ADD4A, 6E5ADD52

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeString$Variant$Clear$H_prolog3_memmove$DecrementH_prolog3_InitInterlocked
String ID: FROM $SELECT $WQL
API String ID: 478432954-921697302
Opcode ID: 5a01aab29f18bbf60f2c51aaecbc36f2f689af95a9c6de6b70927c3e76e367e2
Instruction ID: 9036a3f3900d6bb394bd93252aef8bfd509f160f0e034d88811931ca8349132c
Opcode Fuzzy Hash: 5a01aab29f18bbf60f2c51aaecbc36f2f689af95a9c6de6b70927c3e76e367e2
Instruction Fuzzy Hash: 0291AF71901248AFDF04EBE8D954FEEBBF9AF85308F104559E611EB180DB709E08CB61

Function 6E5ADFC1 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5ADFC8

Part of subcall function 6E5A1792: _memmove.LIBCMT ref: 6E5A189C

Part of subcall function 6E5A1792: __EH_prolog3.LIBCMT ref: 6E5A18E1

Part of subcall function 6E5ACCEA: SysFreeString.OLEAUT32 ref: 6E5ACD1B

SysFreeString.OLEAUT32(?), ref: 6E5AE08D
SysFreeString.OLEAUT32(?), ref: 6E5AE092
VariantInit.OLEAUT32(?), ref: 6E5AE0DC
SysFreeString.OLEAUT32(?), ref: 6E5AE11B
VariantClear.OLEAUT32(000000FF), ref: 6E5AE1BC
VariantClear.OLEAUT32(000000FF), ref: 6E5AE215
VariantClear.OLEAUT32(?), ref: 6E5AE21B

Part of subcall function 6E5A3A76: __EH_prolog3.LIBCMT ref: 6E5A3A7D

Part of subcall function 6E5A3B0A: InterlockedDecrement.KERNEL32(00000001), ref: 6E5A3B12
Part of subcall function 6E5A3B0A: SysFreeString.OLEAUT32 ref: 6E5A3B28

Strings

WQL, xrefs: 6E5AE05B
SELECT , xrefs: 6E5ADFEB
FROM , xrefs: 6E5AE015, 6E5AE01A, 6E5AE022

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeString$Variant$Clear$H_prolog3$DecrementH_prolog3_InitInterlocked_memmove
String ID: FROM $SELECT $WQL
API String ID: 2420725925-921697302
Opcode ID: 4505d85442d9b28e0d6a7043695e2456cc24d37cdbcf0c14aab8ea6928cff4df
Instruction ID: c4d7ed044848414fa7e99680483d198e5a6ccc7d107e726f778a5a25e9c33954
Opcode Fuzzy Hash: 4505d85442d9b28e0d6a7043695e2456cc24d37cdbcf0c14aab8ea6928cff4df
Instruction Fuzzy Hash: E9919E71901248AFEF04DBE8D954FEDBBF9AF89304F108459E611EB291DB709E09CB61

Function 6E5A1E4E Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 340COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A1F13
_memmove.LIBCMT ref: 6E5A1F4A
_memmove.LIBCMT ref: 6E5A1F7F
_memmove.LIBCMT ref: 6E5A2007
_memmove.LIBCMT ref: 6E5A207E
_memmove.LIBCMT ref: 6E5A20E4
_memmove.LIBCMT ref: 6E5A2128
_memmove.LIBCMT ref: 6E5A2162

Strings

string too long, xrefs: 6E5A2188
invalid string position, xrefs: 6E5A2192

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: a9d30f15420e7ab3a8ece2b2f6d23da89e06c4184a5f3977cdf1fa0740ee3218
Instruction ID: 9192baa6a54e60a36efe7428495ff2058ea24a5bedccb92ba80a75aa63ebc99d
Opcode Fuzzy Hash: a9d30f15420e7ab3a8ece2b2f6d23da89e06c4184a5f3977cdf1fa0740ee3218
Instruction Fuzzy Hash: 40D16CB5A0064ADFDB14CF8DC99299EB7F5FF48744B108929EA45CB700D730EA54CBA1

Function 06D914CA Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?), ref: 06D91528
GetDlgItem.USER32(?,?), ref: 06D9153B
GetWindowTextA.USER32(?,00000000,00000400), ref: 06D9165E
DrawTextA.USER32(?,00000000,000000FF,?,00000414), ref: 06D9167F
GetWindowLongA.USER32(?,000000EB), ref: 06D916CA
SetTextColor.GDI32(?,00FF0000), ref: 06D916DC
DrawTextA.USER32(?,00000000,000000FF,00000000,?), ref: 06D916F6
DrawFocusRect.USER32(?,00000010), ref: 06D91717
RemovePropA.USER32(00000000,NSIS: nsControl pointer property), ref: 06D9173B

Strings

NSIS: nsControl pointer property, xrefs: 06D91733

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
String ID: NSIS: nsControl pointer property
API String ID: 2331901045-1714965683
Opcode ID: a27e410f3384d16e1ae3327c296a744cce97fe8147d0d938dc41f6d2d86c5159
Instruction ID: 9da594a68c391eb9156969c1937080e7afe1e3399c766c460055853e8248524b
Opcode Fuzzy Hash: a27e410f3384d16e1ae3327c296a744cce97fe8147d0d938dc41f6d2d86c5159
Instruction Fuzzy Hash: A471AB70D0020BEBDFA19F64DC84BBA7BB6FB00344F454565EA19A6295C771D891CBB0

Function 10002357 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 10002378

Part of subcall function 10002F22: OpenProcessToken.ADVAPI32(000000FF,00000028,?,00000000,?,?,1000238F,SeDebugPrivilege,00000001,?), ref: 10002F36
Part of subcall function 10002F22: LookupPrivilegeValueA.ADVAPI32(00000000,00000010,?), ref: 10002F4F
Part of subcall function 10002F22: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000001,00000010), ref: 10002F7F
Part of subcall function 10002F22: GetLastError.KERNEL32 ref: 10002F8B
Part of subcall function 10002F22: CloseHandle.KERNEL32(?,?,?,1000238F,SeDebugPrivilege), ref: 10002FAC

OpenProcess.KERNEL32(00000040,00000000,?,SeDebugPrivilege,00000001,?), ref: 10002395
GetLastError.KERNEL32 ref: 100023A2
DuplicateHandle.KERNEL32(000000FF,000000FF,00000000,?,00000040,00000000,00000001), ref: 100023BB
SendMessageA.USER32(00008004,00000539,?,SeDebugPrivilege), ref: 100023E4

Strings

SeDebugPrivilege, xrefs: 10002381, 10002389, 100023C5

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Process$ErrorHandleLastOpenToken$AdjustCloseDuplicateLookupMessagePrivilegePrivilegesSendThreadValueWindow
String ID: SeDebugPrivilege
API String ID: 3436673191-2896544425
Opcode ID: cb53f05afa7be2de9fb32b120f72a25d8a9fec339c2f301f330aa57a49db5686
Instruction ID: c66332e51502a56bb2114d803002d8b96d14e5681058ef75f00f033a229ca417
Opcode Fuzzy Hash: cb53f05afa7be2de9fb32b120f72a25d8a9fec339c2f301f330aa57a49db5686
Instruction Fuzzy Hash: 9B21BDB1A00228FFFB01DB94DCC5EAA3BADE7047D5F124125F200A21F8CAB05E449B25

Function 6E5A4407 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78comCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 6E5A4411
CoInitialize.OLE32(00000000), ref: 6E5A443E
CoUninitialize.OLE32 ref: 6E5A444A
_sprintf.LIBCMT ref: 6E5A445D
CoCreateInstance.OLE32(6E5E119C,00000000,00000001,6E5E0F8C,?), ref: 6E5A449F
CoUninitialize.OLE32 ref: 6E5A44AC
_sprintf.LIBCMT ref: 6E5A450B
CoUninitialize.OLE32 ref: 6E5A4513
CoUninitialize.OLE32 ref: 6E5A451E

Strings

Failed Initialize COM: %x, xrefs: 6E5A4457, 6E5A4505

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Uninitialize$_sprintf$CreateH_prolog3_catch_InitializeInstance
String ID: Failed Initialize COM: %x
API String ID: 1980926234-692858042
Opcode ID: 03ab9a6fe399f8a89658a58a8a97f6f6470160671fc4053130f2062c1487e207
Instruction ID: 5df55a74895da3a1ad5bbdc31d36230a226d5582eb494d07790888506fe88485
Opcode Fuzzy Hash: 03ab9a6fe399f8a89658a58a8a97f6f6470160671fc4053130f2062c1487e207
Instruction Fuzzy Hash: 30317F708001199BCB25DFE8CD44BDD76F96B45308F004999A319A2241EF704F8D8B51

Function 025025FE Relevance: 16.6, APIs: 11, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0250265F
GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,00000001,02501A8A,00000000), ref: 02502677
StringFromGUID2.OLE32(?,00000000,?,?,?,?,00000000,00000001,02501A8A,00000000), ref: 0250268A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000000,00000001,02501A8A,00000000), ref: 0250269F
GlobalFree.KERNEL32(00000000), ref: 025026A6

Part of subcall function 0250160E: lstrcpyA.KERNEL32(-02504047,00000000,?,0250118F,?,00000000), ref: 02501636

GlobalFree.KERNEL32(?), ref: 02502728
GlobalFree.KERNEL32(00000000), ref: 02502751

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: Global$Free$AllocByteCharFromMultiStringWidelstrcpywsprintf
String ID:
API String ID: 2278267121-0
Opcode ID: 218716a5f89ce3684817d4c3b9cbf4f5be28a5afc8e94658c2dd8d9be70d8c85
Instruction ID: 8a4333d883a4933f424e882417552178c0772ea80117590ced109777b498c54e
Opcode Fuzzy Hash: 218716a5f89ce3684817d4c3b9cbf4f5be28a5afc8e94658c2dd8d9be70d8c85
Instruction Fuzzy Hash: 0941BC31900605EFDB219F68DCCCD37BBADFB84344B150959FD46CA184DB31AC64DA29

Function 6E5C5A8F Relevance: 16.6, APIs: 11, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6E5C5AB0

Part of subcall function 6E5BE079: HeapFree.KERNEL32(00000000,00000000,?,6E5C92FF,00000000,00000001,00000000,6E5B176E,?,?,6E5BDC99,6E5B96DD,?), ref: 6E5BE08D
Part of subcall function 6E5BE079: GetLastError.KERNEL32(00000000,?,6E5C92FF,00000000,00000001,00000000,6E5B176E,?,?,6E5BDC99,6E5B96DD,?), ref: 6E5BE09F

_free.LIBCMT ref: 6E5C5AC3
_free.LIBCMT ref: 6E5C5AE1
_free.LIBCMT ref: 6E5C5AF3
_free.LIBCMT ref: 6E5C5B04
_free.LIBCMT ref: 6E5C5B0F
_free.LIBCMT ref: 6E5C5B31
_free.LIBCMT ref: 6E5C5B4E
_free.LIBCMT ref: 6E5C5B64
InterlockedDecrement.KERNEL32 ref: 6E5C5B76
_free.LIBCMT ref: 6E5C5B90

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _free$DecrementErrorFreeHeapInterlockedLast
String ID:
API String ID: 148191977-0
Opcode ID: 8a8bd01e7c02b984c33f2a62deefe05c37589dd04338591308fd7bc9db8072f9
Instruction ID: ba385700180318552f7221668dede1eaf3cefed82b2183c7987c2d5a1cdd4528
Opcode Fuzzy Hash: 8a8bd01e7c02b984c33f2a62deefe05c37589dd04338591308fd7bc9db8072f9
Instruction Fuzzy Hash: 5C21B172804A1ADBEF605FE4D8B48653BF8EB4676531B086DEA04A3264CF315C80CB42

Function 6E5ACAEB Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5ACAF2
std::_Lockit::_Lockit.LIBCPMT ref: 6E5ACAFC

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5ACB13

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5ACB1C
ctype.LIBCPMT ref: 6E5ACB36
std::bad_exception::bad_exception.LIBCMT ref: 6E5ACB4A
__CxxThrowException@8.LIBCMT ref: 6E5ACB58
std::_Facet_Register.LIBCPMT ref: 6E5ACB6E

Strings

bad cast, xrefs: 6E5ACB42

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockctypestd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2017145326-3145022300
Opcode ID: f2a451acb48740561714a96febafb8663e4deb2d5761c37aaed0d83d4f50bc83
Instruction ID: 983c63eb738da27b3397464f8c91e0da9405baf7273f8471f48978326974177d
Opcode Fuzzy Hash: f2a451acb48740561714a96febafb8663e4deb2d5761c37aaed0d83d4f50bc83
Instruction Fuzzy Hash: 290180769006299BCF05DFE8C920AED33F8BF85714F600908D711AF290DF359E048B91

Function 6E5B088D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B0894
std::_Lockit::_Lockit.LIBCPMT ref: 6E5B089E

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5B08B5

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5B08BE
codecvt.LIBCPMT ref: 6E5B08D8
std::bad_exception::bad_exception.LIBCMT ref: 6E5B08EC
__CxxThrowException@8.LIBCMT ref: 6E5B08FA
std::_Facet_Register.LIBCPMT ref: 6E5B0910

Strings

bad cast, xrefs: 6E5B08E4

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockcodecvtstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1757418035-3145022300
Opcode ID: 23e011abe5b4364a65875b2f84b87c02fb86c55886bf93954b81faa2c6c88963
Instruction ID: b3d28f2354dc68360d7efb16cfa9455446629c8612f69a6affe243c4595ce89b
Opcode Fuzzy Hash: 23e011abe5b4364a65875b2f84b87c02fb86c55886bf93954b81faa2c6c88963
Instruction Fuzzy Hash: F0019236D10619ABCF15DFE4C9219ED33F8BF84754F10090AE610BB294EF749E048791

Function 6E5AD221 Relevance: 15.2, APIs: 10, Instructions: 238COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5AD22B
_memset.LIBCMT ref: 6E5AD275
GetVersionExA.KERNEL32(?), ref: 6E5AD28A
SysFreeString.OLEAUT32(?), ref: 6E5AD450
VariantClear.OLEAUT32(?), ref: 6E5AD476
VariantClear.OLEAUT32(?), ref: 6E5AD492
VariantClear.OLEAUT32(?), ref: 6E5AD4AE
VariantClear.OLEAUT32(?), ref: 6E5AD4C1
_memset.LIBCMT ref: 6E5AD4DD
ShellExecuteExA.SHELL32(?), ref: 6E5AD544

Part of subcall function 6E5ACE44: __EH_prolog3.LIBCMT ref: 6E5ACE4B
Part of subcall function 6E5ACE44: CoCreateInstance.OLE32(6E5DA44C,00000000,00000004,6E5E1D08,?,00000038,6E5AD2B2), ref: 6E5ACE79
Part of subcall function 6E5ACE44: IUnknown_QueryService.SHLWAPI(?,6E5DA2E8,6E5E1D28,?), ref: 6E5ACECD

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ClearVariant$_memset$CreateExecuteFreeH_prolog3H_prolog3_InstanceQueryServiceShellStringUnknown_Version
String ID:
API String ID: 3897910360-0
Opcode ID: f0e41c4fb32ee1749f4ce4775bc956f3eb682eacc754f6bcaaddab09bae875ca
Instruction ID: 440240199055b9f76c7a80e41677a379fcaf489b0fe1d83a7184b71dda3071ae
Opcode Fuzzy Hash: f0e41c4fb32ee1749f4ce4775bc956f3eb682eacc754f6bcaaddab09bae875ca
Instruction Fuzzy Hash: 6BA12871900629CFEB21DFA8CC44BDEB7B9AF06304F0145D9EA09AB250D7719E85CF52

Function 6E5CAE2A Relevance: 15.2, APIs: 10, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E5CAE38

Part of subcall function 6E5C2158: __mtinitlocknum.LIBCMT ref: 6E5C216A
Part of subcall function 6E5C2158: __amsg_exit.LIBCMT ref: 6E5C2176
Part of subcall function 6E5C2158: EnterCriticalSection.KERNEL32(00000000,?,6E5C9357,0000000D), ref: 6E5C2183

__calloc_crt.LIBCMT ref: 6E5CAE49

Part of subcall function 6E5C2EFC: __calloc_impl.LIBCMT ref: 6E5C2F0B
Part of subcall function 6E5C2EFC: Sleep.KERNEL32(00000000), ref: 6E5C2F22

@_EH4_CallFilterFunc@8.LIBCMT ref: 6E5CAE64
GetStartupInfoW.KERNEL32(?,6E5E46D8,00000064,6E5C0246), ref: 6E5CAEBD
__calloc_crt.LIBCMT ref: 6E5CAF08
GetFileType.KERNEL32(00000001), ref: 6E5CAF4F
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 6E5CAF88

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2673217650-0
Opcode ID: 2876c02bd4e354e47951ca3813204c89e7b0eb75feb7a09ba803b78630a30dc1
Instruction ID: 86f05463d5c515505f07d4799a12e06185ece511b1b0eb79a9db91884febf6ae
Opcode Fuzzy Hash: 2876c02bd4e354e47951ca3813204c89e7b0eb75feb7a09ba803b78630a30dc1
Instruction Fuzzy Hash: 9181F4709047468FDB60CFE8C8A05ADBFF0AF4A724B24465DD0B6AB3C2D7349842CB52

Function 6E5A246B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 134COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A24E3
_memmove.LIBCMT ref: 6E5A251B
_memmove.LIBCMT ref: 6E5A2542

Strings

string too long, xrefs: 6E5A2569
Zn, xrefs: 6E5A2582, 6E5A246E, 6E5A2586, 6E5A25A3
Zn, xrefs: 6E5A246F, 6E5A254E, 6E5A2581
invalid string position, xrefs: 6E5A2573
Win32_ScheduledJob=, xrefs: 6E5A2585

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID: Win32_ScheduledJob=$invalid string position$string too long$Zn$Zn
API String ID: 4104443479-3873333329
Opcode ID: 1780a3168aae24158dee5bdb908d8c0b72fe9a2156d58ebba29922520c72251e
Instruction ID: 2334bf1d66b6a1d8cda5129705cae40c1d6a0beaf194bb2c706f553933ccfb40
Opcode Fuzzy Hash: 1780a3168aae24158dee5bdb908d8c0b72fe9a2156d58ebba29922520c72251e
Instruction Fuzzy Hash: 1641D375300305DBE724DEDED8A1A6EB3FAFB897047004D2DEA558B641E771DC418B61

Function 10002489 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0001045C,00008003,00000000,00000000), ref: 100024CF
SendMessageA.USER32(00008003,00000001,00000000), ref: 100024DE
PostMessageA.USER32(?,00000408,?,00000000), ref: 100024F9
GetWindowRect.USER32(?,?), ref: 10002502
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00000001), ref: 10002518
PostMessageA.USER32(00008002,?,?), ref: 1000252F
CallWindowProcA.USER32(?,00000047,?,?), ref: 1000254F

Strings

G, xrefs: 1000248F

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Message$Window$PostSend$CallProcRect
String ID: G
API String ID: 3451797191-985283518
Opcode ID: 8459f72c2daa026aec1874bf85f2df9d616ba527169aa0e9b22aca72aef16451
Instruction ID: 99c4d9ead5a2cc13b400db64e0a072f7776296885c85ac3f57b22d13651e73a2
Opcode Fuzzy Hash: 8459f72c2daa026aec1874bf85f2df9d616ba527169aa0e9b22aca72aef16451
Instruction Fuzzy Hash: 3E2114B6900128BFEF029F94DD85DAA7B79EB083D6F414055FA04A60B4C7718E61EB64

Function 6E5B618B Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B6192

Part of subcall function 6E5B5F42: __EH_prolog3_GS.LIBCMT ref: 6E5B5F4C
Part of subcall function 6E5B5F42: CreateToolhelp32Snapshot.KERNEL32 ref: 6E5B5F7B
Part of subcall function 6E5B5F42: _memset.LIBCMT ref: 6E5B5F97
Part of subcall function 6E5B5F42: Process32First.KERNEL32 ref: 6E5B5FB1
Part of subcall function 6E5B5F42: CloseHandle.KERNEL32(00000000,?,00000000,?,6E5B177C,firefox.exe), ref: 6E5B6053

OpenProcess.KERNEL32(00000800,00000000,?,00000014,6E5B2D0E,?), ref: 6E5B61C3
GetModuleHandleA.KERNEL32(ntdll), ref: 6E5B61D4
GetProcAddress.KERNEL32(00000000,NtResumeProcess), ref: 6E5B61F1
CloseHandle.KERNEL32(00000000), ref: 6E5B61FF

Strings

ntdll, xrefs: 6E5B61CF
NtResumeProcess, xrefs: 6E5B61EB
NtSuspendProcess, xrefs: 6E5B61E4

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Handle$Close$AddressCreateFirstH_prolog3H_prolog3_ModuleOpenProcProcessProcess32SnapshotToolhelp32_memset
String ID: NtResumeProcess$NtSuspendProcess$ntdll
API String ID: 1927671803-2625365909
Opcode ID: aed830c2baef7e2ebf119158d0821fd6e69130f66e790c890966ff02b104439a
Instruction ID: 278232f5d9e02925aca3b19927a2a83b89082c581f499383eb2f243b03e2ca45
Opcode Fuzzy Hash: aed830c2baef7e2ebf119158d0821fd6e69130f66e790c890966ff02b104439a
Instruction Fuzzy Hash: 6C019235E1060BABEF158BF8C928FBE76F5AF41305F008568E511E7281DFB4D905CA25

Function 6E5B5E1D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B5E24
std::_Lockit::_Lockit.LIBCPMT ref: 6E5B5E2E

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5B5E45

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5B5E4E
std::bad_exception::bad_exception.LIBCMT ref: 6E5B5E7C
__CxxThrowException@8.LIBCMT ref: 6E5B5E8A
std::_Facet_Register.LIBCPMT ref: 6E5B5EA0

Strings

bad cast, xrefs: 6E5B5E74

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1501143699-3145022300
Opcode ID: 08c1a6369d640dd0efc8d5b65954b816619ad8d9edc801dacd1b45c96a54ccfe
Instruction ID: 617c5840697e8280a1191ed9a354e51710ae71f12ac14d62ec8fb2d26e20383b
Opcode Fuzzy Hash: 08c1a6369d640dd0efc8d5b65954b816619ad8d9edc801dacd1b45c96a54ccfe
Instruction Fuzzy Hash: 5F019276D106299BCF09DFE4C920EFD33F9AF94B54F100949E611AB290DF349E058791

Function 6E5B8ED6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B8EDD
std::_Lockit::_Lockit.LIBCPMT ref: 6E5B8EE7

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5B8EFE

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5B8F07
std::bad_exception::bad_exception.LIBCMT ref: 6E5B8F35
__CxxThrowException@8.LIBCMT ref: 6E5B8F43
std::_Facet_Register.LIBCPMT ref: 6E5B8F59

Strings

bad cast, xrefs: 6E5B8F2D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1501143699-3145022300
Opcode ID: 2edc3a9c3dedd52989cbf0fad327807ac8267756efb11dd90a531e9ffe1458c5
Instruction ID: b26368d946f20402b2fcc18d6a2f68e027add18d7a63a21ba2eb0e96cd03ad94
Opcode Fuzzy Hash: 2edc3a9c3dedd52989cbf0fad327807ac8267756efb11dd90a531e9ffe1458c5
Instruction Fuzzy Hash: 8701B5369006269BCF15DFE4C960DED73F9AF94714F100949E711AB2D0DF349E048B92

Function 6E5A8B9D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5A8BA4
std::_Lockit::_Lockit.LIBCPMT ref: 6E5A8BAE

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5A8BC5

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5A8BCE
std::bad_exception::bad_exception.LIBCMT ref: 6E5A8BFC
__CxxThrowException@8.LIBCMT ref: 6E5A8C0A
std::_Facet_Register.LIBCPMT ref: 6E5A8C20

Strings

bad cast, xrefs: 6E5A8BF4

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1501143699-3145022300
Opcode ID: 25a1e9f8a88de8c8aad06f0b03d67caa4048a3fdd21d32497e5f00ad1f5f199c
Instruction ID: ef62dfe2a88ca418d82be09e97ae5ad2b6d62a4fc5e3f88d8d7211f08e206e64
Opcode Fuzzy Hash: 25a1e9f8a88de8c8aad06f0b03d67caa4048a3fdd21d32497e5f00ad1f5f199c
Instruction Fuzzy Hash: 6901807A9106199BCB15DBE8C924AED73F8AF94714F104909D711AF2D0EF349E048B92

Function 6E5B4BA3 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B4BAA
std::_Lockit::_Lockit.LIBCPMT ref: 6E5B4BB4

Part of subcall function 6E5B9775: __lock.LIBCMT ref: 6E5B9786

int.LIBCPMT ref: 6E5B4BCB

Part of subcall function 6E5AC730: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC741

std::locale::_Getfacet.LIBCPMT ref: 6E5B4BD4
std::bad_exception::bad_exception.LIBCMT ref: 6E5B4C02
__CxxThrowException@8.LIBCMT ref: 6E5B4C10
std::_Facet_Register.LIBCPMT ref: 6E5B4C26

Strings

bad cast, xrefs: 6E5B4BFA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prolog3RegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 1501143699-3145022300
Opcode ID: fc74ca5582b2c1fea5fc744b5d3ab6717e5ff677a84fe9258ecc915b80bb6807
Instruction ID: 6d5d2077bb1874829faecede2add4ca5b80996c659cd394f3e67405c7ad8bd77
Opcode Fuzzy Hash: fc74ca5582b2c1fea5fc744b5d3ab6717e5ff677a84fe9258ecc915b80bb6807
Instruction Fuzzy Hash: 9E01527A9006199BCF15DBE4C920AED73FCAF84B19F104D09D711AB291EF749E068B91

Function 10001E5B Relevance: 13.5, APIs: 9, Instructions: 30filesynchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 10001E5B
GetCurrentThreadId.KERNEL32 ref: 10001E61
SendMessageA.USER32(00000010,00000000,00000000), ref: 10001E89
WaitForSingleObject.KERNEL32(000000FF), ref: 10001E97
CloseHandle.KERNEL32 ref: 10001EA3
CloseHandle.KERNEL32 ref: 10001EAB
CloseHandle.KERNEL32 ref: 10001EB3
UnmapViewOfFile.KERNEL32 ref: 10001EBB
CloseHandle.KERNEL32 ref: 10001EC7

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: CloseHandle$Current$FileMessageObjectProcessSendSingleThreadUnmapViewWait
String ID:
API String ID: 1555270478-0
Opcode ID: f543bcc34b0980035e4ef67c28abe85c994fd5068d6c0a6fe188832442d89939
Instruction ID: 2d581c138c8a5662fdd2d931458bdd3db3c3346f56e31af900759cc14978b0eb
Opcode Fuzzy Hash: f543bcc34b0980035e4ef67c28abe85c994fd5068d6c0a6fe188832442d89939
Instruction Fuzzy Hash: FFF0D4B14100B4AFFB116B70CD89A9A3FB6FB083E2B025626F545910BDDFA10A90EF54

Function 6E5B6223 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147processCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B622D
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6E5B6297
Process32First.KERNEL32(00000000,00000128), ref: 6E5B62A7
Process32Next.KERNEL32(00000000,00000128), ref: 6E5B62C4

Part of subcall function 6E5A57E7: __EH_prolog3.LIBCMT ref: 6E5A57EE
Part of subcall function 6E5A57E7: std::locale::_Init.LIBCPMT ref: 6E5A5806

Part of subcall function 6E5A5A50: __EH_prolog3_GS.LIBCMT ref: 6E5A5A57

CloseHandle.KERNEL32(00000000), ref: 6E5B6391

Strings

[^a-zA-Z0-9 _-]+, xrefs: 6E5B631E
.exe, xrefs: 6E5B62DE, 6E5B62F0

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_Process32$CloseCreateFirstH_prolog3HandleInitNextSnapshotToolhelp32std::locale::_
String ID: .exe$[^a-zA-Z0-9 _-]+
API String ID: 3459797796-2008357110
Opcode ID: a5a5605de3af12f7d2fa7f54ebefcb477b3a9d55133075497bd518824cabd468
Instruction ID: 1f5ab53c0909d3b5059f82a1c381141a6bf817749f33f011d3f836e787eaf361
Opcode Fuzzy Hash: a5a5605de3af12f7d2fa7f54ebefcb477b3a9d55133075497bd518824cabd468
Instruction Fuzzy Hash: F7513BB1901218AFDB15DFE8CEA0AEEB7F8AF55304F5044A9D209A7241DF706E49CF61

Function 6E5A113B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000200), ref: 6E5A115F
_memcmp.LIBCMT ref: 6E5A1177
FindWindowExA.USER32(?,00000000,MozillaWindowClass,00000000), ref: 6E5A118F
SetForegroundWindow.USER32(00000000), ref: 6E5A119D
SendMessageTimeoutA.USER32(00000000,00000100,0000000D,00000000,00000003,000003E8,00000000), ref: 6E5A11B4

Strings

MozillaDialogClass, xrefs: 6E5A1171
MozillaWindowClass, xrefs: 6E5A1188

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Window$ClassFindForegroundMessageNameSendTimeout_memcmp
String ID: MozillaDialogClass$MozillaWindowClass
API String ID: 846749858-3318280321
Opcode ID: 9b056d88dcb0001b4d2d6733e2869fd92e5dd893df904deae64da5c3a22e0040
Instruction ID: 9110683cfef78d44704040a3f6c6060361fdd2e15f1fb8c4b8370c77b3df0040
Opcode Fuzzy Hash: 9b056d88dcb0001b4d2d6733e2869fd92e5dd893df904deae64da5c3a22e0040
Instruction Fuzzy Hash: 9C01FCB260071D7BE700EBE58D89FBF77ECDB45744F410015FA01E6182DB709D0586A5

Function 10001B94 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32,CheckElevationEnabled,?,?,?,10002C53), ref: 10001BA4
GetProcAddress.KERNEL32(00000000), ref: 10001BAB
SHGetValueA.SHLWAPI(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,?,?,?), ref: 10001BE9

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 10001BDF
CheckElevationEnabled, xrefs: 10001B9A
EnableLUA, xrefs: 10001BDA
KERNEL32, xrefs: 10001B9F

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: AddressLibraryLoadProcValue
String ID: CheckElevationEnabled$EnableLUA$KERNEL32$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 426837892-266755506
Opcode ID: 9e5a964a85ffe764e2553f4ba1604b097192ed9a3a93ba8720365e3ee3a8bdd9
Instruction ID: bc842063b41881986b8ec85f5135a6cd47f968694aa42c3c231e6defe1fa76fc
Opcode Fuzzy Hash: 9e5a964a85ffe764e2553f4ba1604b097192ed9a3a93ba8720365e3ee3a8bdd9
Instruction Fuzzy Hash: ECF030B1A0020ABBFB00DBB0CD85ADF77FCEB042C5F014169B652E1049FF74D6408A55

Function 6E5D2566 Relevance: 12.1, APIs: 8, Instructions: 118COMMON

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 6E5D257E

Part of subcall function 6E5C21E0: __FF_MSGBANNER.LIBCMT ref: 6E5C21F5
Part of subcall function 6E5C21E0: __NMSG_WRITE.LIBCMT ref: 6E5C21FC
Part of subcall function 6E5C21E0: __malloc_crt.LIBCMT ref: 6E5C221C

__lock.LIBCMT ref: 6E5D2591
__lock.LIBCMT ref: 6E5D25DD
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,6E5E4878,00000018,6E5D3F9B,?,00000000,00000109), ref: 6E5D25F9
EnterCriticalSection.KERNEL32(8000000C,6E5E4878,00000018,6E5D3F9B,?,00000000,00000109), ref: 6E5D2616
LeaveCriticalSection.KERNEL32(8000000C), ref: 6E5D2626

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 6d2e252fe2db3fe80d285ffd4a01ff0d26618f766f58f44ca5b8a6c907926617
Instruction ID: 253c32a8b0cd71a5807c1f3c57cf08d5dde2c091011b3bde4309fefb4a074986
Opcode Fuzzy Hash: 6d2e252fe2db3fe80d285ffd4a01ff0d26618f766f58f44ca5b8a6c907926617
Instruction Fuzzy Hash: AB411379A04B0A8BEB508FECC94479CB7F4BF06329F118218D525EB2C0DF749949CB89

Function 00403F7F Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Function 6E5CA125 Relevance: 10.7, APIs: 7, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

_wcscmp.LIBCMT ref: 6E5CA20B
_wcscmp.LIBCMT ref: 6E5CA221
___lc_wcstolc.LIBCMT ref: 6E5CA24D
___get_qualified_locale.LIBCMT ref: 6E5CA272

Part of subcall function 6E5D1AE0: _TranslateName.LIBCMT ref: 6E5D1B20
Part of subcall function 6E5D1AE0: _GetLocaleNameFromLangCountry.LIBCMT ref: 6E5D1B39
Part of subcall function 6E5D1AE0: _TranslateName.LIBCMT ref: 6E5D1B54
Part of subcall function 6E5D1AE0: _GetLocaleNameFromLangCountry.LIBCMT ref: 6E5D1B6A
Part of subcall function 6E5D1AE0: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,6E5CA277,?,?,?,?,00000004,?,00000000), ref: 6E5D1BBE

GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 6E5CA309
_memmove.LIBCMT ref: 6E5CA3BF
__invoke_watson.LIBCMT ref: 6E5CA414

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Name$CountryFromLangLocaleTranslate_wcscmp$CodePageValid___get_qualified_locale___lc_wcstolc__amsg_exit__getptd_noexit__invoke_watson_memmove
String ID:
API String ID: 3739364018-0
Opcode ID: c79002f3d39b25a9c68898f5f9d4826e5d3c38be24b761779524e32f00092169
Instruction ID: 999941aa069e4f82c4a2eca9c921b60709b50164c6f44718c9dbc8088a1076fd
Opcode Fuzzy Hash: c79002f3d39b25a9c68898f5f9d4826e5d3c38be24b761779524e32f00092169
Instruction Fuzzy Hash: 0B71C7719002556BDB118AD5DC60BFF7BFDAF85B04F1044ADED0AE2142EB308E85CB62

Function 6E5A7AEF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A7B89
_memmove.LIBCMT ref: 6E5A7BA7
_memmove.LIBCMT ref: 6E5A7C04
_memmove.LIBCMT ref: 6E5A7C64
_memmove.LIBCMT ref: 6E5A7C83

Strings

vector<T> too long, xrefs: 6E5A7CBD

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID: vector<T> too long
API String ID: 4104443479-3788999226
Opcode ID: 948b618ad9eba6f91bb8875efbf400dffc147a585fc72f4580284d7ec8918ce3
Instruction ID: 85cb227618d49a3916a766dac3afc238693eff6e1201f271ba9ba5319b5cbdd7
Opcode Fuzzy Hash: 948b618ad9eba6f91bb8875efbf400dffc147a585fc72f4580284d7ec8918ce3
Instruction Fuzzy Hash: 9C617072A00125DFCF04CFACCDA499E77E6EF893147198669EA159B388D730EE10CB90

Function 6E5ACD22 Relevance: 10.6, APIs: 7, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5ACD29
VariantClear.OLEAUT32 ref: 6E5ACD3E
__alloca_probe_16.LIBCMT ref: 6E5ACDA2
_malloc.LIBCMT ref: 6E5ACDBC
MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,-00000008,00000002,?,00000014,6E5AD32F,?), ref: 6E5ACDE8
SysAllocString.OLEAUT32(00000000), ref: 6E5ACDFB
_free.LIBCMT ref: 6E5ACE2D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AllocByteCharClearH_prolog3_MultiStringVariantWide__alloca_probe_16_free_malloc
String ID:
API String ID: 2957485059-0
Opcode ID: 2102e232680884829ded343d71ef0c16728e638d87ad005f71c95b1b2894ea88
Instruction ID: 8ef366036e7fac8226c836d503b1d394cfb30e2ae7dd0a925f50398ab8ac245e
Opcode Fuzzy Hash: 2102e232680884829ded343d71ef0c16728e638d87ad005f71c95b1b2894ea88
Instruction Fuzzy Hash: C131E271A102468BDF118FECC8A07AD7BF9AF85324F15856AE715FF290EB31884587A1

Function 6E5AC360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 6E5AC3A4
_memmove.LIBCMT ref: 6E5AC3B5
_memmove.LIBCMT ref: 6E5AC3C1
_memmove.LIBCMT ref: 6E5AC3D3
_memmove.LIBCMT ref: 6E5AC40A

Strings

vector<T> too long, xrefs: 6E5AC42A

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove$Allocate
String ID: vector<T> too long
API String ID: 164242391-3788999226
Opcode ID: 6977f17c7d94bf2a6e313e734a024463cefe471bbd512a2ccd44e11c94f7469e
Instruction ID: 0d05d2889a5048e1f5a8e41e8047f5bb3a813d2412ca50d1656bb84a73ab81fc
Opcode Fuzzy Hash: 6977f17c7d94bf2a6e313e734a024463cefe471bbd512a2ccd44e11c94f7469e
Instruction Fuzzy Hash: A63174B1600216AFCB04DFECCD949AEBBEDFF44258B10492DE6199B601DB71ED60CB94

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 5fcc8b9a382b72ce3edcc9f0536c3aea7bfda514bb8596ce6868823b37202457
Instruction ID: 139215c225530ed05a72f165aec94188ca6d0ffd2e2debb4f1ded45b97d75f17
Opcode Fuzzy Hash: 5fcc8b9a382b72ce3edcc9f0536c3aea7bfda514bb8596ce6868823b37202457
Instruction Fuzzy Hash: BF31AD71C00128BBDF216FA4CD89DAE7E78EF09364F10423AF920772E0C6795D419BA9

Function 6E5A257E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A25FF
_memmove.LIBCMT ref: 6E5A261A

Strings

string too long, xrefs: 6E5A2569, 6E5A2641
Zn, xrefs: 6E5A2582, 6E5A246E, 6E5A2586, 6E5A25A3, 6E5A2618
Zn, xrefs: 6E5A246F, 6E5A254E, 6E5A2581
Win32_ScheduledJob=, xrefs: 6E5A2585

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID: Win32_ScheduledJob=$string too long$Zn$Zn
API String ID: 4104443479-1486525531
Opcode ID: 5fa5ef3b41922c5325550343904a245c82a44bae78e9635dbb46abd23e4cb7ae
Instruction ID: b72f918f9bac703cc40b4e32998f0b855633a9202c8e5635308a974a052625ca
Opcode Fuzzy Hash: 5fa5ef3b41922c5325550343904a245c82a44bae78e9635dbb46abd23e4cb7ae
Instruction Fuzzy Hash: 6521D3782057019BD730DE9F8D61A5FB7E9FB45704B000D1DEAA287680EB71DC44CB91

Function 6E5A231B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A2325
__CxxThrowException@8.LIBCMT ref: 6E5A237F
_memcpy_s.LIBCMT ref: 6E5A23AD
_free.LIBCMT ref: 6E5A23BC

Strings

AllocatorBase: requested size would cause integer overflow, xrefs: 6E5A2350, 6E5A23E1

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Exception@8H_prolog3_Throw_free_memcpy_s
String ID: AllocatorBase: requested size would cause integer overflow
API String ID: 2762394883-10355266
Opcode ID: 5ab245504a1f794069785c666c4a5610daa80ee9dad406b7a71d4396b167053f
Instruction ID: 15fc60f73f0d865b67fa33f509ec7b01be44389ef7eb9bdc4e22d21dc740686a
Opcode Fuzzy Hash: 5ab245504a1f794069785c666c4a5610daa80ee9dad406b7a71d4396b167053f
Instruction Fuzzy Hash: 9A31C071E00118EFCF14CFEAC961BED77F89B45358F008869E718AB681DB309E498B91

Function 6E5ABE2C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

_Allocate.LIBCPMT ref: 6E5ABE71
_memmove.LIBCMT ref: 6E5ABE82
_memmove.LIBCMT ref: 6E5ABEA3

Strings

u~Zn, xrefs: 6E5ABE60
u~Zn, xrefs: 6E5ABE2C
vector<T> too long, xrefs: 6E5ABEFE

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove$Allocate
String ID: u~Zn$u~Zn$vector<T> too long
API String ID: 164242391-2961771269
Opcode ID: 10bc0442d80ce10b7427d418a32dd2cbdce6dceb1fbf44c9d6eca5294cf7cc61
Instruction ID: a63172b6f0fb2d0348690718d17d8e7b41f5c2f1da84e276040d0932605c955c
Opcode Fuzzy Hash: 10bc0442d80ce10b7427d418a32dd2cbdce6dceb1fbf44c9d6eca5294cf7cc61
Instruction Fuzzy Hash: B021FFB250010ABFCB04DFEDCD94D9EBBE9FF48244B104529E6199B614EB71E964CB90

Function 00404F04 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 44fc4a0ccf7bdfb88c8bbdc0bfee12d1c7f283ea044d1b2c3ed86b30a2e5f05c
Instruction ID: 2fc55b577d604e71a684dab85a3a394c861f11f73c7a4afdaccd6d4ddf25b775
Opcode Fuzzy Hash: 44fc4a0ccf7bdfb88c8bbdc0bfee12d1c7f283ea044d1b2c3ed86b30a2e5f05c
Instruction Fuzzy Hash: 98218CB1900119BBDB019FA5DD8499EBFB9EF49354F14807AFA04B6290C3789E40CB68

Function 00405DC8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,00479000,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00479000,00000000,00403214,00479000,00000000,00403386), ref: 00405E42

Strings

*?|<>/":, xrefs: 00405E10
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 00405DCE

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" $*?|<>/":
API String ID: 589700163-3667067411
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Function 6E5A3CA4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\.NETFramework\policy,00000000,00020019,?), ref: 6E5A3CE4
RegEnumKeyExA.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6E5A3D4E
RegCloseKey.ADVAPI32(?), ref: 6E5A3D62

Strings

v, xrefs: 6E5A3D0C
SOFTWARE\Microsoft\.NETFramework\policy, xrefs: 6E5A3CC8
., xrefs: 6E5A3D21

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CloseEnumOpen
String ID: .$SOFTWARE\Microsoft\.NETFramework\policy$v
API String ID: 1332880857-3848217630
Opcode ID: abcc3562479d19e9402f57a5b99fdc530f558a8bdba8117313c39061c1ae5a00
Instruction ID: 5c7eb403660da81fc72b6189a1307481c2bebc02379e01f62617a3eef7ebc33f
Opcode Fuzzy Hash: abcc3562479d19e9402f57a5b99fdc530f558a8bdba8117313c39061c1ae5a00
Instruction Fuzzy Hash: 582148B190411DEEEB608B95CC98FEF77FCEB16348F0041E6E285A6101DAB45EC48F50

Function 00402BD3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0042DC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0042DC78,00402C4A,00402C4A,0042DC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0042DC78,0042DC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00052CBE,00000064,0004DE23), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 02cd7cf1b4c9dc1e06d43a13f06a46c1327bce63474e00e6603fffb3150c81e6
Instruction ID: d503382bffdb6877589bf5e9d8f4d3b6a3320859dd1babf1ed2f4cbaa8b03d3e
Opcode Fuzzy Hash: 02cd7cf1b4c9dc1e06d43a13f06a46c1327bce63474e00e6603fffb3150c81e6
Instruction Fuzzy Hash: 2501A170809214EBD7219F61EE4DA9F77A8BB01701B10403BF901F11E9DAB89901DBEF

Function 004047D3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32(?,?), ref: 00404810
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404822
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Function 6E5A1059 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000200), ref: 6E5A107D
_memcmp.LIBCMT ref: 6E5A1095
FindWindowExA.USER32(?,00000000,TabWindowClass,00000000), ref: 6E5A10AC
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 6E5A10BB

Strings

Frame Tab, xrefs: 6E5A108F
TabWindowClass, xrefs: 6E5A10A5

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ClassFindMessageNamePostWindow_memcmp
String ID: Frame Tab$TabWindowClass
API String ID: 2748079166-2714809625
Opcode ID: f78bb11b2bfca3f79520b4044f1d63cc47b3179b215326aaf923ac7990b6b83c
Instruction ID: c960991b6627d0ea600ff4551fb1211fc4a9bd512fa3087749c59689d750af5f
Opcode Fuzzy Hash: f78bb11b2bfca3f79520b4044f1d63cc47b3179b215326aaf923ac7990b6b83c
Instruction Fuzzy Hash: 0A0181B1600249BBEB10ABA68D08E9F76ECAB86704F414459BA11E6181EB349948CA65

Function 6E5A11CE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000200), ref: 6E5A11F2
_memcmp.LIBCMT ref: 6E5A120A
_memcmp.LIBCMT ref: 6E5A1224
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 6E5A1237

Strings

MozillaWindowClass, xrefs: 6E5A1204
MozillaUIWindowClass, xrefs: 6E5A121E

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memcmp$ClassMessageNamePost
String ID: MozillaUIWindowClass$MozillaWindowClass
API String ID: 2291821972-3194403505
Opcode ID: 93a0d3fd77e18eb6909ef942d395fe11afe69efbf5920a02941218efad30a3ae
Instruction ID: f5cb00be090a5fb828450e20d8c8fcb7caec3d3308c24709e6f1978afff26b74
Opcode Fuzzy Hash: 93a0d3fd77e18eb6909ef942d395fe11afe69efbf5920a02941218efad30a3ae
Instruction Fuzzy Hash: E70181B2A0031D76EB00EBE58D09FDF32EC9F05704F404465EB10E61C2EB70EA088A59

Function 00402B3B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BAC

Strings

unpacking data: %d%%, xrefs: 00402B78, 00402B88
verifying installer: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 9af37322b4a8c4315db75c794ccca9b4a5d46a3d1f417319ca6675d20cac232d
Instruction ID: 42736c47b098eae16a91b662ba86b6af227696c677de4a6351d43f215c84d625
Opcode Fuzzy Hash: 9af37322b4a8c4315db75c794ccca9b4a5d46a3d1f417319ca6675d20cac232d
Instruction Fuzzy Hash: 86F03671900109ABEF259F51DD0ABEE3779EB00305F008036FA05B51D1D7F9AA559F99

Function 6E5B5F42 Relevance: 9.1, APIs: 6, Instructions: 87processCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B5F4C
CreateToolhelp32Snapshot.KERNEL32 ref: 6E5B5F7B
_memset.LIBCMT ref: 6E5B5F97
Process32First.KERNEL32 ref: 6E5B5FB1
Process32Next.KERNEL32(00000000,?), ref: 6E5B6044
CloseHandle.KERNEL32(00000000,?,00000000,?,6E5B177C,firefox.exe), ref: 6E5B6053

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_HandleNextSnapshotToolhelp32_memset
String ID:
API String ID: 1658010742-0
Opcode ID: 8e5130b28a17386571c1f131f838a5f264e0926edde52550bab66d33785288d8
Instruction ID: a4b9a267d4f4af008caf0d29f1c18b1accaffc2181032adf4839f6873cfe5557
Opcode Fuzzy Hash: 8e5130b28a17386571c1f131f838a5f264e0926edde52550bab66d33785288d8
Instruction Fuzzy Hash: 4E31B0B0A10309CFDB64CFA5C8A0BAAB3F9AF44704F1044ADE60DD7240D7B4AE84CB41

Function 10001484 Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E8), ref: 100014B9
SendMessageA.USER32(00000000), ref: 100014C2
GetDlgItem.USER32(?,000003E9), ref: 100014DB
SendMessageA.USER32(00000000), ref: 100014DE
GetDlgItem.USER32(000003EF,000003EC), ref: 10001508
EnableWindow.USER32(00000000), ref: 1000150B

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Item$MessageSend$EnableWindow
String ID:
API String ID: 2158911739-0
Opcode ID: d1a084a767706afaab5881c04c316720801fd502cffe88eaf5a56bb77e4cf56d
Instruction ID: 8a4dafba77292c4870ec695e511580d61b0590fae370932de45dfa44761696c9
Opcode Fuzzy Hash: d1a084a767706afaab5881c04c316720801fd502cffe88eaf5a56bb77e4cf56d
Instruction Fuzzy Hash: 80115A71A00258BFEF029FA5CC84AEE7F6DEB40390F05C426F9149A1A1C6748A51DF90

Function 10001ECD Relevance: 9.0, APIs: 6, Instructions: 47windowthreadCOMMON

Download Yara Rule

APIs

IsDialogMessageA.USER32(00000002,?), ref: 10001EF1
TranslateMessage.USER32(?), ref: 10001EFF
DispatchMessageA.USER32(?), ref: 10001F09
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 10001F18
GetCurrentProcessId.KERNEL32 ref: 10001F24
GetCurrentThreadId.KERNEL32 ref: 10001F2A

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Message$Current$DialogDispatchPeekProcessThreadTranslate
String ID:
API String ID: 1591844402-0
Opcode ID: b3ce90603388d15316c959500f60e2c52d6493ac26b50c921af3921bbe88ae36
Instruction ID: b95f15e9417dbd24bf6e8ac0690e862ae9fd9ff28d6ada3afbae69be3c1ac41b
Opcode Fuzzy Hash: b3ce90603388d15316c959500f60e2c52d6493ac26b50c921af3921bbe88ae36
Instruction Fuzzy Hash: FA01487190019AEBEB10DFA5CC84CEF7BFDEB856C1B108436F946D2118D7749985CB60

Function 6E5C93C1 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6E5C93C1

Part of subcall function 6E5C5C6F: __initp_misc_winsig.LIBCMT ref: 6E5C5C93

__mtinitlocks.LIBCMT ref: 6E5C93C6

Part of subcall function 6E5C2287: InitializeCriticalSectionAndSpinCount.KERNEL32(6E5E85E0,00000FA0,?,00000001,6E5C93CB,6E5C021C,6E5E4370,00000008,6E5C03E2,?,00000001,?,6E5E4390,0000000C,6E5C0381,?), ref: 6E5C22A5

__mtterm.LIBCMT ref: 6E5C93CF
__calloc_crt.LIBCMT ref: 6E5C93F4
GetCurrentThreadId.KERNEL32 ref: 6E5C941D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CountCriticalCurrentInitializeSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm
String ID:
API String ID: 4019585109-0
Opcode ID: ce1047b43fe5b107a3b0c17c333dceaf978dd5cba6d1e7affcc09b1237c5d734
Instruction ID: c85c5bcdac171d8bde69b0d7b7958b4761fb746438d093521d455192f70fc761
Opcode Fuzzy Hash: ce1047b43fe5b107a3b0c17c333dceaf978dd5cba6d1e7affcc09b1237c5d734
Instruction Fuzzy Hash: 83F0903611CA9219E6646AF86C35A9B27C9BF82E3CF255E1DE660D60D0EF1088424197

Function 1000197E Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000,00000000,?,?,?,?,?,?,10002C2F,seclogon), ref: 10001992
OpenServiceA.ADVAPI32(00000000,10002C2F,00000004,74DF05F0,00000000,?,?,?,?,?,?,10002C2F,seclogon), ref: 100019A6
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,10002C2F,seclogon), ref: 100019BD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,10002C2F,seclogon), ref: 100019D0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,10002C2F,seclogon), ref: 100019D3
GetLastError.KERNEL32(?,?,?,?,?,?,10002C2F,seclogon), ref: 100019D9

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Service$CloseHandleOpen$ErrorLastManagerQueryStatus
String ID:
API String ID: 3744063808-0
Opcode ID: 98206d198cd330a5d98b0aad1fb3198da192d225e5e3ebece727d06186528dce
Instruction ID: 432954036192f9ba08a9e70ce5b752e4165c0fd1d80ed722784ba744950712b6
Opcode Fuzzy Hash: 98206d198cd330a5d98b0aad1fb3198da192d225e5e3ebece727d06186528dce
Instruction Fuzzy Hash: 48F0F43A9083A46BFB1257A18C88BEE7FBCDB483D1F100065EA81A1188CAB4C545CA60

Function 6E5A1792 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A1802
_memmove.LIBCMT ref: 6E5A189C

Part of subcall function 6E5B96F3: std::exception::exception.LIBCMT ref: 6E5B9706
Part of subcall function 6E5B96F3: __CxxThrowException@8.LIBCMT ref: 6E5B971B

Part of subcall function 6E5B96C5: std::exception::exception.LIBCMT ref: 6E5B96D8
Part of subcall function 6E5B96C5: __CxxThrowException@8.LIBCMT ref: 6E5B96ED

__EH_prolog3.LIBCMT ref: 6E5A18E1

Strings

string too long, xrefs: 6E5A1829, 6E5A18CF
invalid string position, xrefs: 6E5A18C5

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception$H_prolog3
String ID: invalid string position$string too long
API String ID: 1801153282-4289949731
Opcode ID: 933a81896e7a644b6ca43ebc32fbbfffd05a1bebcd3052a52ce0552022ca2d78
Instruction ID: a2ba05a6d44bbd1a9dda9e7fc1bdca556509145060b92ff510836733d280d755
Opcode Fuzzy Hash: 933a81896e7a644b6ca43ebc32fbbfffd05a1bebcd3052a52ce0552022ca2d78
Instruction Fuzzy Hash: 2F51A5B17002029BDB24CEEDDE90AAE77EDEF81754B10496DEA15CB681CB70ED4C8791

Function 6E5A51DE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A51E8
Concurrency::details::SchedulerBase::GetPolicy.LIBCMT ref: 6E5A5239
RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?,00000024,00000001,00000080,6E5A5176,?,?,00000024,6E5B1AB6), ref: 6E5A5254
RegCloseKey.ADVAPI32(?,?,00000024,6E5B1AB6), ref: 6E5A5310

Strings

[^a-zA-Z0-9 _-]+, xrefs: 6E5A52A4

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Base::CloseConcurrency::details::H_prolog3_OpenPolicyScheduler
String ID: [^a-zA-Z0-9 _-]+
API String ID: 1600596096-3044450163
Opcode ID: 6b8d29b2170f4805e04ea5d26a4ce0128ef5f6fd44c3acb95e6a6d6031de6d5f
Instruction ID: 1b7dcd4d262a13f2f75895025e21795c0e605d93c678ecaf55d4705530f0dce5
Opcode Fuzzy Hash: 6b8d29b2170f4805e04ea5d26a4ce0128ef5f6fd44c3acb95e6a6d6031de6d5f
Instruction Fuzzy Hash: 0F4106718002099FDB04DFE8C990AEDBBF9AF54318F154459D659BB241EB706E49CBA0

Function 6E5C1B0C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

_CallSETranslator.LIBCMT ref: 6E5C1B6C
_GetRangeOfTrysToCheck.LIBCMT ref: 6E5C1B96

Strings

MOC, xrefs: 6E5C1B4B
RCC, xrefs: 6E5C1B53
_w, xrefs: 6E5C1B23

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CallCheckRangeTranslatorTrys__amsg_exit__getptd_noexit
String ID: MOC$RCC$_w
API String ID: 2400441249-1066603258
Opcode ID: a3efcec2448019eab0a961c35459b15b4b8c8576fc7e31686c25843bce29d72c
Instruction ID: 14343ab335932db0feffd220c1efe2d9ecba5a948ed55ad6237b8f09b73398ca
Opcode Fuzzy Hash: a3efcec2448019eab0a961c35459b15b4b8c8576fc7e31686c25843bce29d72c
Instruction Fuzzy Hash: C0318B3250010AAFDB11CFC0C9A0FAAB7B9EF88B18F29855CFA1457201D375E955DBA2

Function 6E5A4C76 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A4C7D

Part of subcall function 6E5A3C23: __EH_prolog3_GS.LIBCMT ref: 6E5A3C2A
Part of subcall function 6E5A3C23: GetCurrentProcess.KERNEL32(00000008,6E5A5049,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C67
Part of subcall function 6E5A3C23: OpenProcessToken.ADVAPI32(00000000), ref: 6E5A3C6E
Part of subcall function 6E5A3C23: CloseHandle.KERNELBASE(6E5A5049,00000000,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C96

Part of subcall function 6E5A219D: __EH_prolog3.LIBCMT ref: 6E5A21A4

Part of subcall function 6E5A4B42: __EH_prolog3.LIBCMT ref: 6E5A4B49

Part of subcall function 6E5B6448: GetModuleHandleA.KERNEL32(kernel32,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049,6E5E1704), ref: 6E5B6455
Part of subcall function 6E5B6448: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6E5B6466
Part of subcall function 6E5B6448: GetCurrentProcess.KERNEL32(00000000,?,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049), ref: 6E5B6476

Strings

\Software, xrefs: 6E5A4CA5
\Software\Wow6432Node, xrefs: 6E5A4D35
Software\Wow6432Node, xrefs: 6E5A4D73
Software, xrefs: 6E5A4CEB

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Process$CurrentH_prolog3H_prolog3_Handle$AddressCloseModuleOpenProcToken
String ID: Software$Software\Wow6432Node$\Software$\Software\Wow6432Node
API String ID: 1678536576-3372360685
Opcode ID: 112020816cdd83de1856564d7329c954319fdf9546481562a732eff83da1e24b
Instruction ID: 262d7d7165951559028b36f70cac8564fa8fda31eead1674c2058e4650e9abc7
Opcode Fuzzy Hash: 112020816cdd83de1856564d7329c954319fdf9546481562a732eff83da1e24b
Instruction Fuzzy Hash: C9410A748012489ADB04DBECCA50AECBBF9AFA8648F548859C716B7241EB745E0DCB61

Function 6E5A4DC9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A4DD0

Part of subcall function 6E5A3C23: __EH_prolog3_GS.LIBCMT ref: 6E5A3C2A
Part of subcall function 6E5A3C23: GetCurrentProcess.KERNEL32(00000008,6E5A5049,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C67
Part of subcall function 6E5A3C23: OpenProcessToken.ADVAPI32(00000000), ref: 6E5A3C6E
Part of subcall function 6E5A3C23: CloseHandle.KERNELBASE(6E5A5049,00000000,0000002C,6E5A4CA5,0000005C,6E5A5150), ref: 6E5A3C96

Part of subcall function 6E5A219D: __EH_prolog3.LIBCMT ref: 6E5A21A4

Part of subcall function 6E5A4B42: __EH_prolog3.LIBCMT ref: 6E5A4B49

Part of subcall function 6E5B6448: GetModuleHandleA.KERNEL32(kernel32,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049,6E5E1704), ref: 6E5B6455
Part of subcall function 6E5B6448: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6E5B6466
Part of subcall function 6E5B6448: GetCurrentProcess.KERNEL32(00000000,?,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049), ref: 6E5B6476

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 6E5A4E3E
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 6E5A4EC6
\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 6E5A4E88
\Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 6E5A4DF8

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Process$CurrentH_prolog3H_prolog3_Handle$AddressCloseModuleOpenProcToken
String ID: Software\Microsoft\Windows\CurrentVersion\Uninstall$Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall$\Software\Microsoft\Windows\CurrentVersion\Uninstall$\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 1678536576-3281936542
Opcode ID: 4e99ffa8206ce11cc9da582fb4aae0358fd1936f58fdf4af8cb9d3bf99787106
Instruction ID: 734f133e1fd3dda86725960af8a143597fd1b402a1822980ce26427f095637d7
Opcode Fuzzy Hash: 4e99ffa8206ce11cc9da582fb4aae0358fd1936f58fdf4af8cb9d3bf99787106
Instruction Fuzzy Hash: BD410B74801248DEDB04DBECCA50AECBBF9AFA8248F54885DD716B7241EB745E0DCB61

Function 6E5AE261 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5AE268

Part of subcall function 6E5ADC56: __EH_prolog3.LIBCMT ref: 6E5ADC5D
Part of subcall function 6E5ADC56: CoCreateInstance.OLE32(6E5DA3A8,00000000,00000001,6E5E232C,?,00000008,6E5AE298,All Tasks: ,00000064,6E5B1C15), ref: 6E5ADC7F
Part of subcall function 6E5ADC56: SysFreeString.OLEAUT32(?), ref: 6E5ADCB6
Part of subcall function 6E5ADC56: CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,ROOT\CIMV2), ref: 6E5ADCCE

Part of subcall function 6E5ADFC1: __EH_prolog3_GS.LIBCMT ref: 6E5ADFC8
Part of subcall function 6E5ADFC1: SysFreeString.OLEAUT32(?), ref: 6E5AE08D
Part of subcall function 6E5ADFC1: SysFreeString.OLEAUT32(?), ref: 6E5AE092
Part of subcall function 6E5ADFC1: VariantInit.OLEAUT32(?), ref: 6E5AE0DC

Part of subcall function 6E5A1792: _memmove.LIBCMT ref: 6E5A189C

Strings

Win32_ScheduledJob, xrefs: 6E5AE2BC
All Tasks: , xrefs: 6E5AE274
Name, xrefs: 6E5AE2AD
Win32_ScheduledJob=, xrefs: 6E5AE2DA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeString$H_prolog3_$BlanketCreateH_prolog3InitInstanceProxyVariant_memmove
String ID: All Tasks: $Name$Win32_ScheduledJob$Win32_ScheduledJob=
API String ID: 1657339313-2270803182
Opcode ID: b0dcf3691dc2c806130d14edeef22b3e847d1b22baa3b6428845ad2a41604726
Instruction ID: 21987873c2b8c278b89ed18849a94b357a0ba5e1937078d0a77f15c94ca6fbb3
Opcode Fuzzy Hash: b0dcf3691dc2c806130d14edeef22b3e847d1b22baa3b6428845ad2a41604726
Instruction Fuzzy Hash: 4A2179B0D012489ACF04EBECCA546DCBBFAAF95208F60859DC755AB281DB705E09CB52

Function 6E5ADC56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5ADC5D
CoCreateInstance.OLE32(6E5DA3A8,00000000,00000001,6E5E232C,?,00000008,6E5AE298,All Tasks: ,00000064,6E5B1C15), ref: 6E5ADC7F

Part of subcall function 6E5ACCEA: SysFreeString.OLEAUT32 ref: 6E5ACD1B

SysFreeString.OLEAUT32(?), ref: 6E5ADCB6
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,ROOT\CIMV2), ref: 6E5ADCCE

Strings

ROOT\CIMV2, xrefs: 6E5ADC8C

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeString$BlanketCreateH_prolog3InstanceProxy
String ID: ROOT\CIMV2
API String ID: 3095441519-2786109267
Opcode ID: d4bb816f92b9a2351a503bc26b5db75252ee90d81703b01755739eca16b5e2ae
Instruction ID: 50c9b77db4f2672610205a50bcadbacbb6d2fbbc45893a1b92925717b41e7d0a
Opcode Fuzzy Hash: d4bb816f92b9a2351a503bc26b5db75252ee90d81703b01755739eca16b5e2ae
Instruction Fuzzy Hash: 7E116D74A40205AFEB149BE4CD54EBF76B9FF86B05B50451CFA52EB290CB718E048B24

Function 06D91021 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 06D91DD9: lstrcpynA.KERNEL32(06D91054,?,?,?,06D91054,?), ref: 06D91E06
Part of subcall function 06D91DD9: GlobalFree.KERNELBASE ref: 06D91E16

SHBrowseForFolderA.SHELL32(?,?,00000400,?,00000104), ref: 06D910A8
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 06D910C8
CoTaskMemFree.OLE32(00000000,error), ref: 06D910E6

Strings

error, xrefs: 06D910B4, 06D910DB
E, xrefs: 06D91093

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Free$BrowseFolderFromGlobalListPathTasklstrcpyn
String ID: E$error
API String ID: 1728609016-2359134700
Opcode ID: 063c3d3ffd18d74498dbf66357ab8249fb8027159ff055d9309e0466914dfe25
Instruction ID: 69c751311d8a7e8536a47f3da0e72c757ff953c2aef81ebc9aca1db617775118
Opcode Fuzzy Hash: 063c3d3ffd18d74498dbf66357ab8249fb8027159ff055d9309e0466914dfe25
Instruction Fuzzy Hash: 3C2138B5D0121AAFCF91DFA2ED44BDE77F8AB08345F004162E609E6200E735D6648FB1

Function 6E5B13BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E5B1418

Strings

ios_base::eofbit set, xrefs: 6E5B140D
pK^n, xrefs: 6E5B143E
ios_base::failbit set, xrefs: 6E5B1406
ios_base::badbit set, xrefs: 6E5B13E9

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$pK^n
API String ID: 2005118841-1228110713
Opcode ID: bd463aae846a97d80c6b3aa8a1630bf5a79fa939354a5cc7bc0e32dd99cf7368
Instruction ID: 13221c6e72ece598da54bb6fca1739fda0bf4051846176473762d6996d377a88
Opcode Fuzzy Hash: bd463aae846a97d80c6b3aa8a1630bf5a79fa939354a5cc7bc0e32dd99cf7368
Instruction Fuzzy Hash: 65019271904309ABDF80CED5C9A1FD977F8AB44308F60C869E914AE942E375E54BCB61

Function 6E5B6CC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B6CD0
UuidCreate.RPCRT4(?), ref: 6E5B6CF9
UuidToStringA.RPCRT4(?,?), ref: 6E5B6D0E
RpcStringFreeA.RPCRT4(?), ref: 6E5B6D31

Strings

00000000-0000-0000-0000-000000000000, xrefs: 6E5B6CDB

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: StringUuid$CreateFreeH_prolog3_
String ID: 00000000-0000-0000-0000-000000000000
API String ID: 3372217299-2169625225
Opcode ID: 5f26211200456aa91c6c59c43080803614bfbdb78cef492bdc430c8402599b10
Instruction ID: 60fe691ad0421d724fb46f5c59001563aaea70b521efbdff1f7bd045712f885f
Opcode Fuzzy Hash: 5f26211200456aa91c6c59c43080803614bfbdb78cef492bdc430c8402599b10
Instruction Fuzzy Hash: D8014871D10618BBDF05ABE4D954AEEB3BDAF44208F004829E201E6120EF789A098B55

Function 00401D1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(00413B74), ref: 00401D8A

Strings

MS Shell Dlg, xrefs: 00401D70

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID: MS Shell Dlg
API String ID: 3272661963-76309092
Opcode ID: dba0c2efe02f1436e659110f6329974c318dfb36ace0fc9307f647db4be70003
Instruction ID: dbc87e4f6ee83b20b8f61a8a7c3942786851e2433e4431165b402845567ff4dd
Opcode Fuzzy Hash: dba0c2efe02f1436e659110f6329974c318dfb36ace0fc9307f647db4be70003
Instruction Fuzzy Hash: D0F0A470A8C240AFE7016BB0AD0ABD93F649721317F10446AF141BA1E3D57C21009B7E

Function 6E5B6448 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049,6E5E1704), ref: 6E5B6455
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6E5B6466
GetCurrentProcess.KERNEL32(00000000,?,?,?,6E5A4D31,00000000,80000002,6E5E1704,Software,00000000,80000003,00000000,0000005C,6E5A5150,0000002C,6E5A5049), ref: 6E5B6476

Strings

kernel32, xrefs: 6E5B6450
IsWow64Process, xrefs: 6E5B6460

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: 6b85e6f9e2176158f21c3533c0ef07138c1f55fb7b5e864fdd644b00bac8e69a
Instruction ID: 45e932895048724a65b28c9b24d49877a8f4a6cffc800db585f49985f61c8939
Opcode Fuzzy Hash: 6b85e6f9e2176158f21c3533c0ef07138c1f55fb7b5e864fdd644b00bac8e69a
Instruction Fuzzy Hash: D3E0DF36810B19A7CF00ABF08D1CB9F3BFCAB04796F010524E500EB102DE78D600CAA8

Function 02501ADF Relevance: 7.7, APIs: 5, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 02501561: lstrcpyA.KERNEL32(00000000,?,?,?,02501804,?,02501017), ref: 0250157E
Part of subcall function 02501561: GlobalFree.KERNEL32 ref: 0250158F

GlobalFree.KERNEL32(?), ref: 02501B41
GlobalFree.KERNEL32(?), ref: 02501CCD
GlobalFree.KERNEL32(?), ref: 02501CD2

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: 5a34073ec754d5092e67facf689b37ed3c22124f4f3876e9664b10455dcd16c4
Instruction ID: e1bc4959e2f4efa5d3a4f98ea8468900a8a37613ab2dd6ca51851fc5606e22c4
Opcode Fuzzy Hash: 5a34073ec754d5092e67facf689b37ed3c22124f4f3876e9664b10455dcd16c4
Instruction Fuzzy Hash: A951E032D10909EACB269FA88DC467DBBA6BB81348F54C559D80DA71C0D771EE00AB5F

Function 6E5A2C34 Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A2C3B
_memmove.LIBCMT ref: 6E5A2C9E
_memmove.LIBCMT ref: 6E5A2CD4
_memmove.LIBCMT ref: 6E5A2D28
__CxxThrowException@8.LIBCMT ref: 6E5A2D80

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove$Exception@8H_prolog3_Throw
String ID:
API String ID: 2435204977-0
Opcode ID: 672457a61c86be245c41eaf3d22b2b57ff2f40d61a7a2877b0b6d3847bd85be3
Instruction ID: 83827fad14b966aa35fb94612a33fdc9c1d6ed50ed2c7e5d55cb076b2e8d4207
Opcode Fuzzy Hash: 672457a61c86be245c41eaf3d22b2b57ff2f40d61a7a2877b0b6d3847bd85be3
Instruction Fuzzy Hash: BA516475A002199FCB04DFE9C8958BDBBF6FF88305B148529EA06EB304DB34AD55CB51

Function 6E5BE1FB Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E5BE207

Part of subcall function 6E5BDFE7: __FF_MSGBANNER.LIBCMT ref: 6E5BDFFE
Part of subcall function 6E5BDFE7: __NMSG_WRITE.LIBCMT ref: 6E5BE005
Part of subcall function 6E5BDFE7: HeapAlloc.KERNEL32(007D0000,00000000,00000001,00000001,6E5B176E,6E5B176E,?,6E5BDD70,00000001,00000000,6E5B176E,?,?,6E5BDC99,6E5B96DD,?), ref: 6E5BE02A

_free.LIBCMT ref: 6E5BE21A

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 7a52e509a5bc18862be3849e47c3f4e774947a9340d33b63a97723b1634edd1e
Instruction ID: 336bea23faeb4b38520e4cd49b06f48bc28811d534ffed9abc81d5b7f53ef740
Opcode Fuzzy Hash: 7a52e509a5bc18862be3849e47c3f4e774947a9340d33b63a97723b1634edd1e
Instruction Fuzzy Hash: 3011CA3290461DAFCF511FF49C34E9A77DCAF46768F1549A9EA0496180DF388C818791

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 3379485738d87ea4489a121fc5fe0e7c5314169862274de7ec56f73532940607
Instruction ID: 259584080012af4a033af28bf2d78e0e72ca5e45c602eb3588b612967464464b
Opcode Fuzzy Hash: 3379485738d87ea4489a121fc5fe0e7c5314169862274de7ec56f73532940607
Instruction Fuzzy Hash: 4B116A75600009FFDF219F90DE48DAF7B6DEB41344B104436F945A00E0DBB49E55AF6A

Function 6E5BE689 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 6E5BE6B3
CreateThread.KERNEL32(00000000,00000000,6E5BE7E9,00000000,00000000,00000000), ref: 6E5BE6F7
GetLastError.KERNEL32(?,?,6E5B2C1E,00000000,00000000,6E5AD1D1,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6E5BE701
_free.LIBCMT ref: 6E5BE70A
__dosmaperr.LIBCMT ref: 6E5BE715

Part of subcall function 6E5C47D7: __getptd_noexit.LIBCMT ref: 6E5C47D7

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 9262dfc758f4c3b01fcc7bfebe4108153a7074e313cc058f501e052463a9dc9f
Instruction ID: 1b0921665a8a7e4b83263936f74c69647cae32d969d7b9b1880b4ecb3ae34478
Opcode Fuzzy Hash: 9262dfc758f4c3b01fcc7bfebe4108153a7074e313cc058f501e052463a9dc9f
Instruction Fuzzy Hash: A611A13210474AAFDB119EE99C60DAB3BECEF85B68B14096DFA1486191DF31D8118662

Function 6E5C9A63 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E5C9287: __getptd_noexit.LIBCMT ref: 6E5C9288
Part of subcall function 6E5C9287: __amsg_exit.LIBCMT ref: 6E5C9295

__amsg_exit.LIBCMT ref: 6E5C9A90
__lock.LIBCMT ref: 6E5C9AA0
InterlockedDecrement.KERNEL32(?), ref: 6E5C9ABD
_free.LIBCMT ref: 6E5C9AD0
InterlockedIncrement.KERNEL32(008011F8), ref: 6E5C9AE8

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 0bae88040a0ca3e06100a675646a05917d112c0d97545a4abeb3eef14045d802
Instruction ID: 48b404240b444a8d7b66c1dffaa9fcd4baa810382e27487079430fab34f369a1
Opcode Fuzzy Hash: 0bae88040a0ca3e06100a675646a05917d112c0d97545a4abeb3eef14045d802
Instruction Fuzzy Hash: DD01D232D04A169BDB519FE588247AE77E4BF81F68F06184DD91067680DB346C81CBC7

Function 6E5A3BA4 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6E5A3BAA
GetTickCount.KERNEL32 ref: 6E5A3BE7
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000005FF), ref: 6E5A3C08
CloseHandle.KERNEL32(?,?,?,?,6E5AD214), ref: 6E5A3C14
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,6E5AD214), ref: 6E5A3BBD

Part of subcall function 6E5A3B57: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 6E5A3B6C
Part of subcall function 6E5A3B57: DispatchMessageA.USER32(?), ref: 6E5A3B7A
Part of subcall function 6E5A3B57: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 6E5A3B89
Part of subcall function 6E5A3B57: Sleep.KERNEL32(00000000), ref: 6E5A3B94

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Message$CountPeekTick$CloseCreateDispatchEventHandleMultipleObjectsSleepWait
String ID:
API String ID: 2103223456-0
Opcode ID: a0627ffa4ebd161b8895e01de37b149264167cf2839e087547c197646de9d31f
Instruction ID: bfbb23fde0897fa47f14ec0c0417e4135c6f550d1742cb4ac40685c167ab8572
Opcode Fuzzy Hash: a0627ffa4ebd161b8895e01de37b149264167cf2839e087547c197646de9d31f
Instruction Fuzzy Hash: 91F08C30280A09ABEA405BE9CD9AFAE33ADDF0175DF100430B315A60C2DEA58E4096A4

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 276fc44ce4f332ec84e3650127dfaa0c07b744a984f4017a3f95436c3d20cf85
Instruction ID: 086d5b446e16212717cf7668c87d994395aec52f986300cbf4c27fae309feacd
Opcode Fuzzy Hash: 276fc44ce4f332ec84e3650127dfaa0c07b744a984f4017a3f95436c3d20cf85
Instruction Fuzzy Hash: 91F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Function 6E5A27B2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E5A2850

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

_memmove.LIBCMT ref: 6E5A28A4
_memset.LIBCMT ref: 6E5A28E1

Part of subcall function 6E5A168D: __EH_prolog3.LIBCMT ref: 6E5A1694

Strings

HMAC: can only be used with a block-based hash function, xrefs: 6E5A281B

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow_memmove_memset
String ID: HMAC: can only be used with a block-based hash function
API String ID: 3933666237-7675281
Opcode ID: f35e704ccbc9ec064590a6aef39aefd5adfd7d0a6aa806b534009b2cc293c9fa
Instruction ID: 092852a669ee5df48afcb42416b093eff16da4150ba502ad1f538a85852b89ae
Opcode Fuzzy Hash: f35e704ccbc9ec064590a6aef39aefd5adfd7d0a6aa806b534009b2cc293c9fa
Instruction Fuzzy Hash: 215145756043119FCB04CF69C894A5ABBE5FF89314F014AADF9568B352EB30E909CB92

Function 6E5B7091 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B7098
swprintf.LIBCMT ref: 6E5B714E

Strings

%.2X, xrefs: 6E5B7143
!'()*-.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~, xrefs: 6E5B70A9

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_swprintf
String ID: !'()*-.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~$%.2X
API String ID: 472742393-2473756923
Opcode ID: dc77aa0c9d577017d7f5e4d35f7df7c75c35f63b71ad7a893ec112e64a592b13
Instruction ID: 942f46a764655173dde06c85b84d0e5ac58d55b8f64c69b123e4716314bd7b0a
Opcode Fuzzy Hash: dc77aa0c9d577017d7f5e4d35f7df7c75c35f63b71ad7a893ec112e64a592b13
Instruction Fuzzy Hash: A5219470E002049FDB20DFE8C9A0AEDB6FDAB85214F544A1DE252DB6C1CB709D49CB62

Function 6E5A4F14 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5A4F1B

Part of subcall function 6E5A57E7: __EH_prolog3.LIBCMT ref: 6E5A57EE
Part of subcall function 6E5A57E7: std::locale::_Init.LIBCPMT ref: 6E5A5806

Strings

^Classes$, xrefs: 6E5A4F46
^\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}$, xrefs: 6E5A4F23
^Wow6432Node$, xrefs: 6E5A4F35

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3$Initstd::locale::_
String ID: ^Classes$$^Wow6432Node$$^\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}$
API String ID: 463956699-3159395355
Opcode ID: 87d8ad0b2cd0343aa60b69b17495c0f5767f1b855422e88d0958bb38f519d7f0
Instruction ID: 5d71f07aef4e9b3175ef4025726905155c0ac74cf0617239760c66c660a1c419
Opcode Fuzzy Hash: 87d8ad0b2cd0343aa60b69b17495c0f5767f1b855422e88d0958bb38f519d7f0
Instruction Fuzzy Hash: 17212871C242989EDF49CFE8C850AECBBF8BF54204F20062ED215BB251EB301A09CF10

Function 6E5A1C9D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 6E5A2206: __EH_prolog3_GS.LIBCMT ref: 6E5A220D

Part of subcall function 6E5A168D: __EH_prolog3.LIBCMT ref: 6E5A1694

__CxxThrowException@8.LIBCMT ref: 6E5A1DA7

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

Strings

bytes, xrefs: 6E5A1D74
byte digest to , xrefs: 6E5A1D42
HashTransformation: can't truncate a , xrefs: 6E5A1D1E

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ExceptionException@8H_prolog3H_prolog3_RaiseThrow
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 1139647276-1139078987
Opcode ID: b5ab3e517764dbda5832e7171f02c144bc08331e823d54cadd843d3542f965b4
Instruction ID: b402db13c4257a4cb8f76d6dceff33643f2255a14028d17440f873dfd6e8818a
Opcode Fuzzy Hash: b5ab3e517764dbda5832e7171f02c144bc08331e823d54cadd843d3542f965b4
Instruction Fuzzy Hash: 92318F71508380CFD324CBA8D441BEFBBE9AB88314F10491EE69587380EF749809CBA3

Function 004046F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00431CA0,00431CA0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32(?,00431CA0), ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 209957d547b213f1450bb2b5f8376dcff8b8e18e64197bb7b829da11d1368e4f
Instruction ID: 36010866de4d4973df748f9dd838e75dfff237001bd6de138a618f82c9ba1ae9
Opcode Fuzzy Hash: 209957d547b213f1450bb2b5f8376dcff8b8e18e64197bb7b829da11d1368e4f
Instruction Fuzzy Hash: 16113473A001243BDB00626D8C45EEF3259CBD6335F14023BFA25F71D1E978AC1282E8

Function 6E5D1995 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6E5D19AC
_wcscmp.LIBCMT ref: 6E5D19BD

Strings

ACP, xrefs: 6E5D19A6
OCP, xrefs: 6E5D19B7

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 0a98565c6db8d51054ab253b574a836ef8b7bf409a992444f5a0d55224cff0f3
Instruction ID: 8a70589a223959f15dfaee0d80e1db49e5d392e085fb5f9fdc1f6878c2e21b93
Opcode Fuzzy Hash: 0a98565c6db8d51054ab253b574a836ef8b7bf409a992444f5a0d55224cff0f3
Instruction Fuzzy Hash: 7401802220A506B6EB449BDDCD41FEA33EC9F01765F008815FA18EA181FB70DA8D83DD

Function 6E5B6D51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B6D58
UuidToStringA.RPCRT4(?,00000000), ref: 6E5B6D89
RpcStringFreeA.RPCRT4(00000000), ref: 6E5B6DAC

Strings

00000000-0000-0000-0000-000000000000, xrefs: 6E5B6D65

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: String$FreeH_prolog3_Uuid
String ID: 00000000-0000-0000-0000-000000000000
API String ID: 440902543-2169625225
Opcode ID: 3d8a626bd259bf4aac208fa15645e1de04a0acbf9a67a6275e4e63fd5cfb17ee
Instruction ID: e2c46b570aa9b3f8d5712ce99223d58fcf66243d65f4348b4ab2e6bad94d4abb
Opcode Fuzzy Hash: 3d8a626bd259bf4aac208fa15645e1de04a0acbf9a67a6275e4e63fd5cfb17ee
Instruction Fuzzy Hash: B3011A71D10608ABDF04EFD4D994BDEB7F9AF85329F444828E601AA161DF745A098B50

Function 6E5A1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000012), ref: 6E5A101B
_memcmp.LIBCMT ref: 6E5A1030
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 6E5A1041

Strings

Chrome_WidgetWin_, xrefs: 6E5A102A

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ClassMessageNamePost_memcmp
String ID: Chrome_WidgetWin_
API String ID: 780640740-524248775
Opcode ID: 4401c2041db4698ac0ccdea99041685d36118b7c82eefc48bf99c7b6602dcaaf
Instruction ID: 6e917363bfda52bc94188827c587699318f9ea6c2700102caf3daad247ddbab4
Opcode Fuzzy Hash: 4401c2041db4698ac0ccdea99041685d36118b7c82eefc48bf99c7b6602dcaaf
Instruction Fuzzy Hash: E9F0BE71A00209BBEB00EBE48C05EFF37ECAB0A304F410415EA41E6182EB24AA099795

Function 6E5BD5AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E5BD5C2

Part of subcall function 6E5BDFE7: __FF_MSGBANNER.LIBCMT ref: 6E5BDFFE
Part of subcall function 6E5BDFE7: __NMSG_WRITE.LIBCMT ref: 6E5BE005
Part of subcall function 6E5BDFE7: HeapAlloc.KERNEL32(007D0000,00000000,00000001,00000001,6E5B176E,6E5B176E,?,6E5BDD70,00000001,00000000,6E5B176E,?,?,6E5BDC99,6E5B96DD,?), ref: 6E5BE02A

std::exception::exception.LIBCMT ref: 6E5BD5DE
__CxxThrowException@8.LIBCMT ref: 6E5BD5F3

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

Strings

pJ^n, xrefs: 6E5BD980, 6E5BD966, 6E5BD954, 6E5BDAE4, 6E5BDAF2

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: pJ^n
API String ID: 1059622496-3108260627
Opcode ID: d60d8febb190ab207f7559fd0dcb514956739c6f63c86a9debd500ff6f4b4d6b
Instruction ID: ca66a89a5bb0f6ce2bb323ce0cbf06fc65b04f94ae82ebead15f6a8885173820
Opcode Fuzzy Hash: d60d8febb190ab207f7559fd0dcb514956739c6f63c86a9debd500ff6f4b4d6b
Instruction Fuzzy Hash: 81E06D7640010EAADF00EFE8CD31AEF76FDAB41248F404815E611E61C0DB70DA45DFA2

Function 6E5A10D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000200), ref: 6E5A10F8
_memcmp.LIBCMT ref: 6E5A1110
EnumChildWindows.USER32(?,6E5A1059,00000000), ref: 6E5A1123

Strings

IEFrame, xrefs: 6E5A110A

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ChildClassEnumNameWindows_memcmp
String ID: IEFrame
API String ID: 4158947655-2708574431
Opcode ID: a557041b19af2c2213d0465e71ee4fc4f18e34d7ca1c6587ef65ea7939125f13
Instruction ID: 7c1efbb2f175d48a88a8a62039e67584fbf7c3f7b1a56d5b1e9e1e851b876911
Opcode Fuzzy Hash: a557041b19af2c2213d0465e71ee4fc4f18e34d7ca1c6587ef65ea7939125f13
Instruction Fuzzy Hash: 76F054B5500619ABDB00EBE58D09AEF73ECAB09204F414465EA11E6181EB34EE498B95

Function 10001247 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(MyRunAsStrings,000000FF,00000000,?,00000208,?), ref: 10001269
SendMessageA.USER32(00000000), ref: 100012A9

Part of subcall function 10001164: GetUserNameA.ADVAPI32(00000000,?), ref: 100011A9
Part of subcall function 10001164: wsprintfA.USER32 ref: 100011D8
Part of subcall function 10001164: GetDlgItem.USER32(?,000003E8), ref: 100011FA
Part of subcall function 10001164: SendMessageA.USER32(00000000), ref: 10001203
Part of subcall function 10001164: LoadLibraryA.KERNEL32(SHELL32,00005503,00000000,00000204), ref: 10001217
Part of subcall function 10001164: LoadStringA.USER32(00000000), ref: 1000121E
Part of subcall function 10001164: GetDlgItem.USER32(?,000003EC), ref: 1000123B
Part of subcall function 10001164: SendMessageA.USER32(00000000), ref: 1000123E

Strings

MyRunAsStrings, xrefs: 10001264

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: MessageSend$ItemLoadString$LibraryNamePrivateProfileUserwsprintf
String ID: MyRunAsStrings
API String ID: 2667165715-2281671616
Opcode ID: 1b3d7ef5eff27bbdb13ce52d41ce9ef7954c15fb36c19cb94a92a29c27a032cb
Instruction ID: 35d98105128b023dc0814c3eef1f0673ea542b48aa755e1878cd0529f49a1f15
Opcode Fuzzy Hash: 1b3d7ef5eff27bbdb13ce52d41ce9ef7954c15fb36c19cb94a92a29c27a032cb
Instruction Fuzzy Hash: B3F0E23490034AABFF519FA0CD49FCE3A69EF107D5F100210FA60A00E9DA7199B49AA2

Function 6E5BE791 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,6E5BE85A,?), ref: 6E5BE7AB
GetProcAddress.KERNEL32(00000000), ref: 6E5BE7B2

Strings

RoInitialize, xrefs: 6E5BE79A
combase.dll, xrefs: 6E5BE7A6

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 5c8510186a706087741f87fb69e8e5b4a942b056e395f48eafaaf3ccba7b8694
Instruction ID: 5de1725ae4714e94bba17161a6c7df0e4f08e6e4185f6de2339528c217bd3bc7
Opcode Fuzzy Hash: 5c8510186a706087741f87fb69e8e5b4a942b056e395f48eafaaf3ccba7b8694
Instruction Fuzzy Hash: 27E04FB0550B45ABEF40AFB4CC0DB263AF6F706706F464860F102D6186EF7440049F19

Function 06D91480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 06D913C6: GetPropA.USER32(?,NSIS: nsControl pointer property), ref: 06D913CF

LoadCursorA.USER32(00000000,00007F89), ref: 06D9149C
SetCursor.USER32(00000000,?,?,?), ref: 06D914A3
CallWindowProcA.USER32(?,?,00000020,?,?), ref: 06D914C0

Strings

, xrefs: 06D9148F

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: Cursor$CallLoadProcPropWindow
String ID:
API String ID: 1635134901-3916222277
Opcode ID: 9dcad890ee95e58e82cd7520a3a38ec2b4642b37b7aa016bd1c811b8ee8e7f56
Instruction ID: 093eb2818049ce0b999f1b04055d3fe6474a9156d0cc5dd62d11b13ef6660e4b
Opcode Fuzzy Hash: 9dcad890ee95e58e82cd7520a3a38ec2b4642b37b7aa016bd1c811b8ee8e7f56
Instruction Fuzzy Hash: F5E0C93294420ABFDF516FA2DD05AA93B6AAB1C355F41C420FA1998160C771C4609F71

Function 6E5BE866 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,6E5BE780), ref: 6E5BE880
GetProcAddress.KERNEL32(00000000), ref: 6E5BE887

Strings

combase.dll, xrefs: 6E5BE87B
RoUninitialize, xrefs: 6E5BE86F

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: b29c467a05b99b3f6738a8388dcd710792988b931eba17b59bcdcd42272ec4cc
Instruction ID: ba20a400f391f8dfe56e7fd0be3f94eb7522b0f054633b9b84441abf9a8e782b
Opcode Fuzzy Hash: b29c467a05b99b3f6738a8388dcd710792988b931eba17b59bcdcd42272ec4cc
Instruction Fuzzy Hash: 21E0B6B1500A44ABEF80AFB0CD4DB253AF5E747705F561424F101D5586EF754484EB19

Function 6E5AFEBD Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 6E5AFF44
_fgetc.LIBCMT ref: 6E5B006F

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _fgetc
String ID:
API String ID: 762172173-0
Opcode ID: d80ee0a25b4ec8a09f68ea787372c73add6b125b67123b62e39798a7cb28b280
Instruction ID: 44722783cbcdf43f885e29a4e8ddbd2fd68c474c689eb56351be2a520ba63be9
Opcode Fuzzy Hash: d80ee0a25b4ec8a09f68ea787372c73add6b125b67123b62e39798a7cb28b280
Instruction Fuzzy Hash: 09515A31608346DFC710CF69C8A096BBBF9EF89318F900A2EF591971A0E771E944CB52

Function 6E5AF7DC Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5AF7E6

Part of subcall function 6E5AFA0D: __EH_prolog3.LIBCMT ref: 6E5AFA14

Part of subcall function 6E5AF747: __EH_prolog3_GS.LIBCMT ref: 6E5AF751
Part of subcall function 6E5AF747: GetTempPathA.KERNEL32(00000104,?,0000012C,6E5AF815,?,00000001,?,?,000001D8,6E5B2E0F,?,?,?,?,?), ref: 6E5AF78A

MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 6E5AF987

Part of subcall function 6E5B6C54: __EH_prolog3.LIBCMT ref: 6E5B6C5B

Part of subcall function 6E5B0725: __EH_prolog3_catch.LIBCMT ref: 6E5B072C

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6E5AF9BB
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6E5AF9E5

Part of subcall function 6E5B0CAD: __EH_prolog3.LIBCMT ref: 6E5B0CB4

Part of subcall function 6E5B098E: __EH_prolog3_catch.LIBCMT ref: 6E5B0995

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3$H_prolog3_H_prolog3_catchIos_base_dtorstd::ios_base::_$FileMovePathTemp
String ID:
API String ID: 2364275748-0
Opcode ID: 2628c78e3871987ec1765940a5168e6a2ccf4d146b4fa190c698de0668586e85
Instruction ID: 9d3960a88313dff81703e1c6976da1f40b060000fb44296b66a0f1d8be58ceaa
Opcode Fuzzy Hash: 2628c78e3871987ec1765940a5168e6a2ccf4d146b4fa190c698de0668586e85
Instruction Fuzzy Hash: E7518131A00219DFDB14CBE8CD54BEDB7F8AF55304F108499D649AB281EB70AE48CF61

Function 6E5C1D70 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E5C1DF4
_memmove.LIBCMT ref: 6E5C1E3B
___AdjustPointer.LIBCMT ref: 6E5C1E89
_memmove.LIBCMT ref: 6E5C1E92

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: 9930ceb48a9cf0f8b496c862dd3575a5909dd08975cc94b58172f08bf85eaa6f
Instruction ID: a631ba0825af9634dba4d5d8dee5beab6beea235d885e4dcf3d47095eec5d49a
Opcode Fuzzy Hash: 9930ceb48a9cf0f8b496c862dd3575a5909dd08975cc94b58172f08bf85eaa6f
Instruction Fuzzy Hash: 6A41A2362042079FEB149FD5DAB2BBA3BF8AF41B64F10041DE950C66A0DB35D888C657

Function 6E5A2DBB Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 6E5A1C9D: __CxxThrowException@8.LIBCMT ref: 6E5A1DA7

_memset.LIBCMT ref: 6E5A2E33
_memset.LIBCMT ref: 6E5A2E45
_memset.LIBCMT ref: 6E5A2E66
_memmove.LIBCMT ref: 6E5A2EF7

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memset$Exception@8Throw_memmove
String ID:
API String ID: 1000995948-0
Opcode ID: 6d263deedafa077e9a5880a351291580daf4e448149809db4654deab14acc4d1
Instruction ID: 88650dba5d532fb25badc31ca16258fcb104e04c4cb1b192a56007056bc69340
Opcode Fuzzy Hash: 6d263deedafa077e9a5880a351291580daf4e448149809db4654deab14acc4d1
Instruction Fuzzy Hash: 64416175A00205AFDB08DFA9C8599BEFBF6FF88310B14855DEA1697380DB34AD51CB80

Function 6E5B9330 Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,6E5AE2D9,6E5AE2D8,00000000,00000000,00000000,00000000,FD8D3652,753CE610,00000000,?,00000000,00000000,6E5D7490,000000FF), ref: 6E5B93A3
GetLastError.KERNEL32(?,00000000,00000000,6E5D7490,000000FF,?,6E5ADBD3,00000000,00000000,6E5AE1EF,000000FF,?,00000000,00000000,00000020,00000000), ref: 6E5B93AF
WideCharToMultiByte.KERNEL32(00000000,00000000,6E5AE2D9,00000000,00000000,00000000,00000000,00000000), ref: 6E5B93F2
GetLastError.KERNEL32 ref: 6E5B9405

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 4d036e155ab515e90892b9d7c4dbaff188151d846b8cea1b5b17fcda6887240a
Instruction ID: ef0f5d766039c402296c511c9653f839a980951573fbc3c993137e89c8bf9988
Opcode Fuzzy Hash: 4d036e155ab515e90892b9d7c4dbaff188151d846b8cea1b5b17fcda6887240a
Instruction Fuzzy Hash: 5E31D775604715ABD7108FA9CC55FABB7E8EB45714F108629FA05DB2C0D775E800CBA4

Function 6E5D0055 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E5D0089
__isleadbyte_l.LIBCMT ref: 6E5D00B7
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6E5D00E5
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6E5D011B

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0486b2ad671ab77c9a412cfd87a0346cab096d1c3d43decc1e435849873656d7
Instruction ID: 9fdc2993c5b5f3638a8efca27f4815af6959eae2a5bf9408e29c136de04828cc
Opcode Fuzzy Hash: 0486b2ad671ab77c9a412cfd87a0346cab096d1c3d43decc1e435849873656d7
Instruction Fuzzy Hash: D1319C3160425ABFEB11CEF9CC44BBA7BEBBF85710F05442AE460871A0E730D895DB98

Function 6E5A46F1 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,00000000,?,00000001,?,6E5A42AF,00000000,00000003), ref: 6E5A4747
GetLastError.KERNEL32(?,00000001,?,6E5A42AF,00000000,00000003), ref: 6E5A4756
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000001,?,6E5A42AF,00000000,00000003), ref: 6E5A476F
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,00000001,?,6E5A42AF,00000000,00000003), ref: 6E5A4796

Part of subcall function 6E5A3A47: __CxxThrowException@8.LIBCMT ref: 6E5A3A57
Part of subcall function 6E5A3A47: GetLastError.KERNEL32(?,6E5E4AA4,?,?,)`[n,6E5B656C,)`[n,00000000,?,?,?,6E5B64E5,00000000,?,?,6E5B6029), ref: 6E5A3A5D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast$Exception@8Throw
String ID:
API String ID: 1304663488-0
Opcode ID: 679eb00ce6d7b33e04217fd30150e8eea752e1564d45f4f50b9208b62b1f875a
Instruction ID: 45a6e9fafbba7f383ae9995ec1116ec00dc63eb287e4362a6c50a38b3a355d10
Opcode Fuzzy Hash: 679eb00ce6d7b33e04217fd30150e8eea752e1564d45f4f50b9208b62b1f875a
Instruction Fuzzy Hash: A9219377504124BF9B154EA8EC44CBF3BADEBC67603128639FE09CA104DA71CD0687A4

Function 6E5A7404 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5A7446

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a7807d0504fe4eaad2d29262e55c5021fbe30baf9517175537605eb557ad981c
Instruction ID: a6b43ea275e59478acaaa8712577a27e4e08cbeca5f34477de119763f85ebc30
Opcode Fuzzy Hash: a7807d0504fe4eaad2d29262e55c5021fbe30baf9517175537605eb557ad981c
Instruction Fuzzy Hash: D921CE32A004209FCB20CFACCD9195A7FE9EF853147098A68EA54DB299D771FC00CBA0

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040DB70,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040DB70,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040DB70,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 7a44758f69a940fdd40397d48906392fba1871583e98eeab66b8864cb714fa92
Instruction ID: 296c73fb00ad4de5de759cf5fdeaac1d87e05e13d386f830c03a67a49eb44fa0
Opcode Fuzzy Hash: 7a44758f69a940fdd40397d48906392fba1871583e98eeab66b8864cb714fa92
Instruction Fuzzy Hash: 261160B1E00109BFEB10AFA0DE49EAF767DFB54398F10413AF905B61D0D6B85D019669

Function 06D91329 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(74DEF380,00000400,?,00000400,?,74DEF380,00000000), ref: 06D91335
CharPrevA.USER32(74DEF380,00000000,?,74DEF380,00000000), ref: 06D9133F
MulDiv.KERNEL32(?,00000000,00000064), ref: 06D91361
MapDialogRect.USER32(74DEF380,74DEF380), ref: 06D91386

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: CharDialogPrevRectlstrlen
String ID:
API String ID: 3411278111-0
Opcode ID: 084647da2e8f1526957321c09eb2181819d7ed4858f12832e30d83aa481ee06f
Instruction ID: 25f55bb7037ea91b0233744d83bd53179eee25692eb7880691c0b3559a070b50
Opcode Fuzzy Hash: 084647da2e8f1526957321c09eb2181819d7ed4858f12832e30d83aa481ee06f
Instruction Fuzzy Hash: 9F115B35E0162AEFDF51AF65DC09BAE7BB9EB017A5F014451ED29A7641C3309A04CBF0

Function 6E5A8D7A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A8D81

Part of subcall function 6E5BD5AA: _malloc.LIBCMT ref: 6E5BD5C2

std::_Locinfo::~_Locinfo.LIBCPMT ref: 6E5A8E01

Part of subcall function 6E5AC5FE: __EH_prolog3_GS.LIBCMT ref: 6E5AC605

std::_Locinfo::_Locinfo.LIBCPMT ref: 6E5A8DD3
__Getcoll.LIBCPMT ref: 6E5A8DE5

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~__malloc
String ID:
API String ID: 3081597017-0
Opcode ID: 6e9cb8a23bfea94575ed3c22ab2e082a85eee1cd35d204f9a660201ef23bd7e9
Instruction ID: 8731fc41f67434901ad5bf66eb3ca841930ed1e12bbde4e122da95b638e71b26
Opcode Fuzzy Hash: 6e9cb8a23bfea94575ed3c22ab2e082a85eee1cd35d204f9a660201ef23bd7e9
Instruction Fuzzy Hash: 63116471800316CFCB20DFECC454BDDBBF4AF98718F108828D665AB280D774A984CB92

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 533bbaa52b75f52b026b180ddfe2c12257574f1b88f86b37d6c92ef85265d070
Instruction ID: 469f1bc5c2da8f7bf21418c9fa7c855411c387b6ab03f9ca10b763bcdfe7d214
Opcode Fuzzy Hash: 533bbaa52b75f52b026b180ddfe2c12257574f1b88f86b37d6c92ef85265d070
Instruction Fuzzy Hash: 4F113A71A00108BEDB01EFA5DD819AEBBB9EB49344B20853AF501F61E1D7389A54DB28

Function 6E5CD83B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E5CD85F

Part of subcall function 6E5CDF3E: __fltout2.LIBCMT ref: 6E5CDF67

__cftog_l.LIBCMT ref: 6E5CD885
__cftoe_l.LIBCMT ref: 6E5CD8B7

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 095b57c6d44150038db6d105f7725ef2250b3ccbc9a9cd9a2eb71720b5029dc2
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: E301303208014ABBCF425EC4DC618EE3FA6BF49754B448859FE2895020D336C9B1AF82

Function 6E5C16A9 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E5C16C0

Part of subcall function 6E5C1CE2: ___AdjustPointer.LIBCMT ref: 6E5C1D2B

_UnwindNestedFrames.LIBCMT ref: 6E5C16D7
___FrameUnwindToState.LIBCMT ref: 6E5C16E9
CallCatchBlock.LIBCMT ref: 6E5C170D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f5c8888ff96fed7a35812a77e01c4de3dc70c969fa8e649db047ada91988d5f4
Instruction ID: 41a7e8382e39ef2ea365efc80a9164fa3370fe2834f74c38d9d89059fdd52737
Opcode Fuzzy Hash: f5c8888ff96fed7a35812a77e01c4de3dc70c969fa8e649db047ada91988d5f4
Instruction Fuzzy Hash: E4012D32000109BBCF029FD5CD50EEA3BF9FF89B54F158419FA1865520D376E8A5DBA5

Function 6E5ACC81 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,6E5ADC99,000000FF,00000000,00000000,?,?,00000001,6E5ADC99,?,6E5ACCFC,?,?,6E5ADC99,ROOT\CIMV2), ref: 6E5ACC98
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E5ACCA6
MultiByteToWideChar.KERNEL32(00000003,00000000,6E5ADC99,000000FF,00000000,?,?,?,00000001,6E5ADC99,?,6E5ACCFC,?,?,6E5ADC99,ROOT\CIMV2), ref: 6E5ACCBC
SysFreeString.OLEAUT32(00000000), ref: 6E5ACCC8

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ByteCharMultiStringWide$AllocFree
String ID:
API String ID: 447844807-0
Opcode ID: 35a62f96e8eed8c10d117f99080987ecbbdc96e6392bc22793de3d9932438b4c
Instruction ID: b419b5e4530495dafc005bfd92e2aa55cca16a1b6ed14c41ae5f342118b576b8
Opcode Fuzzy Hash: 35a62f96e8eed8c10d117f99080987ecbbdc96e6392bc22793de3d9932438b4c
Instruction Fuzzy Hash: CDF0C231244526BF9B1246DE8C6DD6FBEACDB87671B110218F334D6180DB609D0082B0

Function 6E5B9E3B Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

____lc_locale_name_func.LIBCMT ref: 6E5B9E3B
____lc_collate_cp_func.LIBCMT ref: 6E5B9E43
_memcmp.LIBCMT ref: 6E5B9E62
___crtCompareStringA.LIBCMT ref: 6E5B9E91

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: CompareString____lc_collate_cp_func____lc_locale_name_func___crt_memcmp
String ID:
API String ID: 1685134921-0
Opcode ID: 65bf027ae206f65f0fd2a2b36974c332b74ad8415c6e714963dd838e85d27d56
Instruction ID: 6f6ae3cfa52e161693574e018bfc7ea053f070a4733dc556cbea42c3fbd485ea
Opcode Fuzzy Hash: 65bf027ae206f65f0fd2a2b36974c332b74ad8415c6e714963dd838e85d27d56
Instruction Fuzzy Hash: D2F02832600515AAD7205ADD8CE0EEB37ECDFA1B64F14CA10FE38CA194E7328C924352

Function 06D913FB Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?), ref: 06D9143B
DestroyWindow.USER32 ref: 06D91452
GetProcessHeap.KERNEL32(00000000), ref: 06D9145F
HeapFree.KERNEL32(00000000), ref: 06D91466

Memory Dump Source

Source File: 00000001.00000002.2976302121.0000000006D91000.00000020.00000001.01000000.00000009.sdmp, Offset: 06D90000, based on PE: true

Associated: 00000001.00000002.2976276508.0000000006D90000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976439780.0000000006D93000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976488802.0000000006D94000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000001.00000002.2976529163.0000000006D97000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6d90000_Au_.jbxd

Similarity

API ID: HeapWindow$CallDestroyFreeProcProcess
String ID:
API String ID: 1278960361-0
Opcode ID: 008ede724a25f9bf91a08ab9fd3d48a154c393e0a4de23f191b80e659377b87c
Instruction ID: 0c9f8021ad93a01721af6d469fa5cf51a5629f839e3977ada9d3ce5bc609f885
Opcode Fuzzy Hash: 008ede724a25f9bf91a08ab9fd3d48a154c393e0a4de23f191b80e659377b87c
Instruction Fuzzy Hash: BD010C32510206EBCF529F96FC049A93BAAFB49266B508625FB5D82250C7318464DFB1

Function 6E5B5DA2 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5B5DA9

Part of subcall function 6E5BD5AA: _malloc.LIBCMT ref: 6E5BD5C2

std::_Locinfo::_Locinfo.LIBCPMT ref: 6E5B5DDE

Part of subcall function 6E5AC947: __EH_prolog3.LIBCMT ref: 6E5AC94E
Part of subcall function 6E5AC947: std::_Lockit::_Lockit.LIBCPMT ref: 6E5AC95B
Part of subcall function 6E5AC947: std::exception::exception.LIBCMT ref: 6E5AC9A2
Part of subcall function 6E5AC947: __CxxThrowException@8.LIBCMT ref: 6E5AC9B7
Part of subcall function 6E5AC947: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E5AC9C0

numpunct.LIBCPMT ref: 6E5B5DFC

Part of subcall function 6E5B5CE0: __EH_prolog3_catch.LIBCMT ref: 6E5B5CE7
Part of subcall function 6E5B5CE0: _localeconv.LIBCMT ref: 6E5B5CF1
Part of subcall function 6E5B5CE0: __Getcvt.LIBCPMT ref: 6E5B5CFC
Part of subcall function 6E5B5CE0: __Getcvt.LIBCPMT ref: 6E5B5D29

std::_Locinfo::~_Locinfo.LIBCPMT ref: 6E5B5E0F

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: std::_$GetcvtH_prolog3LocinfoLocinfo::_$Exception@8H_prolog3_catchLocinfo::~_Locinfo_ctorLockitLockit::_Throw_localeconv_mallocnumpunctstd::exception::exception
String ID:
API String ID: 2227016329-0
Opcode ID: 723a7b718b2f54165389a0c4a06814d2c7375fe4aa7c264d8337ec425f7aebe7
Instruction ID: 0226e7f7759576e1d4d07b223865d9089e29ae2723377cf00fb93a0cca6497c4
Opcode Fuzzy Hash: 723a7b718b2f54165389a0c4a06814d2c7375fe4aa7c264d8337ec425f7aebe7
Instruction Fuzzy Hash: 0C017C7190021A9FCB54DFD8C5A17ADB3F9BF84B14F60896ED654AB280CBB05E04C7A1

Function 6E5ADBDF Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E5ADBE6
VariantInit.OLEAUT32(?), ref: 6E5ADC09
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6E5ADC28
VariantClear.OLEAUT32(?), ref: 6E5ADC46

Part of subcall function 6E5ADB50: __EH_prolog3.LIBCMT ref: 6E5ADB57

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Variant$H_prolog3$ChangeClearInitType
String ID:
API String ID: 4262505642-0
Opcode ID: bc7906331779ad689a655021138756579fd4b19b323304bfe3d4871dc47be4de
Instruction ID: d8d0f7a2f4c7c223c6d7707872bac7055bb260f9b37176a072dafbd68a6b7286
Opcode Fuzzy Hash: bc7906331779ad689a655021138756579fd4b19b323304bfe3d4871dc47be4de
Instruction Fuzzy Hash: A4014F759101099BDB01EBE4C954BDDB2FCAF44709F604855EB01E7040DB75AE44CB69

Function 6E5C930E Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 6E5C9352

Part of subcall function 6E5C2158: __mtinitlocknum.LIBCMT ref: 6E5C216A
Part of subcall function 6E5C2158: __amsg_exit.LIBCMT ref: 6E5C2176
Part of subcall function 6E5C2158: EnterCriticalSection.KERNEL32(00000000,?,6E5C9357,0000000D), ref: 6E5C2183

InterlockedIncrement.KERNEL32(?), ref: 6E5C935F
__lock.LIBCMT ref: 6E5C9373
___addlocaleref.LIBCMT ref: 6E5C9391

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 153627126-0
Opcode ID: 470ab2a15455edad2601c51901403c576bb9d7d48515022aa1e0a7681b8f163e
Instruction ID: 6e04159130d5128f87449c604907638b557d321e3df6b7eab115fb40adce156f
Opcode Fuzzy Hash: 470ab2a15455edad2601c51901403c576bb9d7d48515022aa1e0a7681b8f163e
Instruction Fuzzy Hash: 4B016171400B04DFD7208FE9C41578AB7E4AF84B19F20894ED699977A0CB70A941CB16

Function 6E5A3B57 Relevance: 6.0, APIs: 4, Instructions: 37windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 6E5A3B6C
DispatchMessageA.USER32(?), ref: 6E5A3B7A
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 6E5A3B89
Sleep.KERNEL32(00000000), ref: 6E5A3B94

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Message$Peek$DispatchSleep
String ID:
API String ID: 3374569338-0
Opcode ID: 77e7a3aee6726ba6edfb4bb8210cfd355a804bff9b05a3f54b0c4ed382877891
Instruction ID: 591e6d69f2f79f9758c0797f380135575faa2fb27d37086bd63e2e37fbacfc4a
Opcode Fuzzy Hash: 77e7a3aee6726ba6edfb4bb8210cfd355a804bff9b05a3f54b0c4ed382877891
Instruction Fuzzy Hash: 9FF037B2E4060D7FEB106EF94CCCEEF76ADD70568CB014421B652D1046EA65DC014774

Function 10001438 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 1000145F
SendMessageA.USER32(00000000), ref: 10001462
GetDlgItem.USER32(?,00000001), ref: 10001477
EnableWindow.USER32(00000000), ref: 1000147A

Memory Dump Source

Source File: 00000001.00000002.2976574315.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2976553438.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976597083.0000000010004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2976619836.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Au_.jbxd

Similarity

API ID: Item$EnableMessageSendWindow
String ID:
API String ID: 3471810782-0
Opcode ID: 15d315f0db403b3f3c16512ae4a295740f4d5e2608bcb69e19ad7cb2dcc1ea7e
Instruction ID: 77863b45c66a0b8e4b700892c5372225986847c0b6868ea12d8a7278d44f8156
Opcode Fuzzy Hash: 15d315f0db403b3f3c16512ae4a295740f4d5e2608bcb69e19ad7cb2dcc1ea7e
Instruction Fuzzy Hash: 3FE06D70A04220ABFB109B608C84EFB7E9EEB41790F004816F584E60E5C661CC81DA61

Function 6E5AFBF2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

, xrefs: 6E5AFD79

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: edaa4012f872d3f4d53c587681ce35f0faf850dc3408d0996882797d1f3b6d65
Instruction ID: 50958b4611b409ce0b4645b0c5ca992285b1d381e50726416964319669a99b65
Opcode Fuzzy Hash: edaa4012f872d3f4d53c587681ce35f0faf850dc3408d0996882797d1f3b6d65
Instruction Fuzzy Hash: 2A514B712183069FC715CF68C490A5EB7F9BF88318F604E2EFA9597240E730E949CB62

Function 6E5B20BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 6E5A49A7: lstrcpynA.KERNEL32(?,6E5E1708,?,00002000,6E5E1704,6E5B18D9), ref: 6E5A49CD
Part of subcall function 6E5A49A7: GlobalFree.KERNEL32(6E5E1704), ref: 6E5A49DE

Part of subcall function 6E5B6E7E: __EH_prolog3_GS.LIBCMT ref: 6E5B6E85

UuidFromStringA.RPCRT4(?,?), ref: 6E5B21C1
_free.LIBCMT ref: 6E5B22CA

Strings

d%^n, xrefs: 6E5B223D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: FreeFromGlobalH_prolog3_StringUuid_freelstrcpyn
String ID: d%^n
API String ID: 4020302587-632555462
Opcode ID: 34d360abf1470c0b8500bda13a982ec4b34dfcf53586415e5b4f7db460643fe8
Instruction ID: a0b12ce2c7fa0a813fc11eed02f204a1a673f983f664d804a7a88b9521f7d4e6
Opcode Fuzzy Hash: 34d360abf1470c0b8500bda13a982ec4b34dfcf53586415e5b4f7db460643fe8
Instruction Fuzzy Hash: D3514571118784AFD760DBA8C854ADFB7F9AFD9304F400C2DE68987260EB30A949CB53

Function 6E5B661C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6E5B681E

Strings

Ob[n, xrefs: 6E5B677B, 6E5B6744, 6E5B67FC
vector<T> too long, xrefs: 6E5B6814

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID: Ob[n$vector<T> too long
API String ID: 120817956-4091465483
Opcode ID: 7b4fa60e1a0667b1c142ec668ec5e4af389142041af26fd45584831816cf7dc9
Instruction ID: 49181bda5f627d3dd1386739d7374cf68483ebd5c16675bf5f8ff47726755fbc
Opcode Fuzzy Hash: 7b4fa60e1a0667b1c142ec668ec5e4af389142041af26fd45584831816cf7dc9
Instruction Fuzzy Hash: C141307572020A9FDF08CFACC9A489AB7E5FF883147148669E919DB345D770EE11CB50

Function 6E5AC51D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E5AC581

Strings

string too long, xrefs: 6E5AC5BE
invalid string position, xrefs: 6E5AC5B4

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: f6b2580a8274c1c6783b641aa4001b0075c53ae62bed2ea7d74ce34194859604
Instruction ID: a8d734556e42e6a7f12d512fc380f35cbfae5c203d6ad0aaac21656d4428cd9c
Opcode Fuzzy Hash: f6b2580a8274c1c6783b641aa4001b0075c53ae62bed2ea7d74ce34194859604
Instruction Fuzzy Hash: D921C3712002019BDB24EEEDD840E6E77EEAB8A744B10492DF6118F641D771D9418BD1

Function 6E5B74CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B74D6
__Stoulx.LIBCPMT ref: 6E5B7540

Strings

-, xrefs: 6E5B7574

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_Stoulx
String ID: -
API String ID: 3180878350-2547889144
Opcode ID: 026378603fe90d89ee7c43752f34ea09e21d7d1e26604f7b8e69acfb59b73d22
Instruction ID: 032337c8143cfd9768763aef574e5225173900bc0632e6065aff327f47cb39f9
Opcode Fuzzy Hash: 026378603fe90d89ee7c43752f34ea09e21d7d1e26604f7b8e69acfb59b73d22
Instruction Fuzzy Hash: 982139B2900219AFDB15DFD4D9A0AEEB7F8AF48314F00466AF905A7280E734AE05CB51

Function 6E5B75A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B75A9
__Stoulx.LIBCPMT ref: 6E5B7613

Strings

-, xrefs: 6E5B7644

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3_Stoulx
String ID: -
API String ID: 3180878350-2547889144
Opcode ID: 15adee37f37a5fec4fe48ac3a99703d264b6c4190a5bb12fcc535780cd5752fc
Instruction ID: 80fab633163e3036ff80eb4ec87e7f5906cbc37a9845b0b192edbfb5988aced8
Opcode Fuzzy Hash: 15adee37f37a5fec4fe48ac3a99703d264b6c4190a5bb12fcc535780cd5752fc
Instruction Fuzzy Hash: FE212DB290021CAFDF11DF94D990AEEB7F8FB48314F11466AE915A7280D7309E09CB91

Function 00404E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a84b5296b4eeae82f408269d2d1b8d7033f61a03f51c3bbd89419221396ae481
Instruction ID: 574ffcac201dacb39b42018bad0bebdbc1389d908601d56a0bf61ad4508792f4
Opcode Fuzzy Hash: a84b5296b4eeae82f408269d2d1b8d7033f61a03f51c3bbd89419221396ae481
Instruction Fuzzy Hash: D6114F71940208BBEF21AF52DC4499F3729FB45769F00803BF604792E1C77D5A519BAD

Function 6E5B170D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumWindows.USER32(6E5A11CE,00000000), ref: 6E5B175A

Part of subcall function 6E5B60C3: __EH_prolog3.LIBCMT ref: 6E5B60CA
Part of subcall function 6E5B60C3: Sleep.KERNEL32(00000032,00000024,6E5B177C,firefox.exe), ref: 6E5B6100

EnumWindows.USER32(6E5A113B,00000000), ref: 6E5B1796

Strings

firefox.exe, xrefs: 6E5B1760

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: EnumWindows$H_prolog3Sleep
String ID: firefox.exe
API String ID: 2049615448-3034799888
Opcode ID: e54cbb1c8ced4945fdf1e05504b4761167e49f5d5de36826325e37d1a0530175
Instruction ID: f705b3dab53ce7134d72811387f7ff3896224fd356826d4aa06da101c25766f0
Opcode Fuzzy Hash: e54cbb1c8ced4945fdf1e05504b4761167e49f5d5de36826325e37d1a0530175
Instruction Fuzzy Hash: C6018C71A04745AFCB40EFA8C995A9E7BE4FB49654F014919FA598B381EF30E808CB81

Function 6E5B163D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5B1644

Part of subcall function 6E5A168D: __EH_prolog3.LIBCMT ref: 6E5A1694

__CxxThrowException@8.LIBCMT ref: 6E5B168C

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

Strings

: this object doesn't support resynchronization, xrefs: 6E5B165D

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ExceptionException@8H_prolog3H_prolog3_RaiseThrow
String ID: : this object doesn't support resynchronization
API String ID: 1139647276-2714550406
Opcode ID: ceec2945c2fa468eb6c5fcaa8e48cc4aad81074cdc02006c9161c710d36e731b
Instruction ID: 4c773153f9c77b1da92882db77ff3a60e64ce0b2ac278603d94cb6b636d040cb
Opcode Fuzzy Hash: ceec2945c2fa468eb6c5fcaa8e48cc4aad81074cdc02006c9161c710d36e731b
Instruction Fuzzy Hash: 1EF06771610208AFDB00DBE8D945FEEBBF8AF44304F104459A205EFA81DB70AE48CB66

Function 6E5A2762 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 6E5A278D

Strings

WSZn, xrefs: 6E5A2778, 6E5A2799, 6E5A27A2, 6E5A2788
HKEY_CLASSES_ROOT, xrefs: 6E5A2765

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: _memcmp
String ID: HKEY_CLASSES_ROOT$WSZn
API String ID: 2931989736-4166011388
Opcode ID: 56697756f125c7f4f0cc85555ddf2027b3cd69df537d13dd7dbd4c5657d8003e
Instruction ID: e6c31095425ab6802665cd054458a17c3297700cbf2977160ebed50c4958f203
Opcode Fuzzy Hash: 56697756f125c7f4f0cc85555ddf2027b3cd69df537d13dd7dbd4c5657d8003e
Instruction Fuzzy Hash: 10F0E23260022ADFDF08DE6D9C014EE33EAAF44610711492CEC21A7191D332ED528AE2

Function 6E5A1DD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A1DD8

Part of subcall function 6E5A168D: __EH_prolog3.LIBCMT ref: 6E5A1694

__CxxThrowException@8.LIBCMT ref: 6E5A1E19

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

Part of subcall function 6E5A39D1: _malloc.LIBCMT ref: 6E5A39DC

Strings

AllocatorBase: requested size would cause integer overflow, xrefs: 6E5A1DEA

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: ExceptionException@8H_prolog3H_prolog3_RaiseThrow_malloc
String ID: AllocatorBase: requested size would cause integer overflow
API String ID: 2421882169-10355266
Opcode ID: b4da84afee581c181de87b0246a7be4c69c1ad276af28116d43bb85d69f5bfaf
Instruction ID: 1eb29d95b85dec34d93d15babb4f46146cdca4b8f75dd370aa84f135ace8933a
Opcode Fuzzy Hash: b4da84afee581c181de87b0246a7be4c69c1ad276af28116d43bb85d69f5bfaf
Instruction Fuzzy Hash: 4CF090B1A001049ECB54DBE8CA20BED77F89F58714F50891DE712EB680DB348E0C8766

Function 6E5A1A19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6E5A1A20

Part of subcall function 6E5A168D: __EH_prolog3.LIBCMT ref: 6E5A1694

__CxxThrowException@8.LIBCMT ref: 6E5A1A54

Part of subcall function 6E5C0A65: RaiseException.KERNEL32(?,?,6E5B96F2,6E5B176E,?,?,?,?,6E5B96F2,6E5B176E,6E5E4128,?), ref: 6E5C0AB6

Part of subcall function 6E5A172C: __EH_prolog3.LIBCMT ref: 6E5A1733
Part of subcall function 6E5A172C: std::exception::exception.LIBCMT ref: 6E5A1741

Strings

Clone() is not implemented yet., xrefs: 6E5A1A25

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8H_prolog3_RaiseThrowstd::exception::exception
String ID: Clone() is not implemented yet.
API String ID: 3352605447-226299721
Opcode ID: 5116eb8b39d25dc23c434671df0526320536e00aecde1dff2047efcf66f6181a
Instruction ID: ccef2e9ffd92b1ec9070d149927d81980cbcd496800ff838f0bbfe7bb793c319
Opcode Fuzzy Hash: 5116eb8b39d25dc23c434671df0526320536e00aecde1dff2047efcf66f6181a
Instruction Fuzzy Hash: FDF01CB1910118AACB10DBD9CD00BDDBBFCAB587A4F440429E704EB941DBB19D09CB6A

Function 004053C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0043E4A8,Error launching installer), ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

Error launching installer, xrefs: 004053D9

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: b7c9d10a8054e1d63aace513746620387ba85298539cfb76979fbda5e6a590d7
Instruction ID: 5c094ea24e64812d6ab6634a7517117686aedeac2daf9b822694a8d73c7fdf3e
Opcode Fuzzy Hash: b7c9d10a8054e1d63aace513746620387ba85298539cfb76979fbda5e6a590d7
Instruction Fuzzy Hash: 43E0ECB4900209AFEB00AF65DC49AAB7BBDEB18315F10D522A911E2190D775D8109A79

Function 6E5B65E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 6E5BD5AA: _malloc.LIBCMT ref: 6E5BD5C2

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 6E5B6616

Strings

Ob[n, xrefs: 6E5B689C, 6E5B66D3
list<T> too long, xrefs: 6E5B68E7

Memory Dump Source

Source File: 00000001.00000002.2976668284.000000006E5A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E5A0000, based on PE: true

Associated: 00000001.00000002.2976646555.000000006E5A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976713572.000000006E5DA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976738171.000000006E5E8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2976758912.000000006E5ED000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e5a0000_Au_.jbxd

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception_malloc
String ID: Ob[n$list<T> too long
API String ID: 657562460-1467821306
Opcode ID: ab8f10ec5115c6317694ca7565a4e494030976c81e9f900ec708935f841ea63b
Instruction ID: d19f269edfea53820305203cbc2b8aa3f93fcfdc0b7833d5b1c63df915a46665
Opcode Fuzzy Hash: ab8f10ec5115c6317694ca7565a4e494030976c81e9f900ec708935f841ea63b
Instruction Fuzzy Hash: 5CE04FB53143069B9B4C9F95C070A7637DCABA1214B10882DD9198F684DA71D8008720

Function 0040361A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" ,00000000,74DF2EE0,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32(?), ref: 0040363B

Strings

"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" , xrefs: 0040362C

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe"
API String ID: 1100898210-1499594739
Opcode ID: 75c0d4a1740ce41e79f0191f5d68a1ca9e627b85db2cb00bb4df0cbf6dd70357
Instruction ID: cf5896ae3eaafbbd98579327fd8fb68bce34fe610569fc10f3715d7aba606bee
Opcode Fuzzy Hash: 75c0d4a1740ce41e79f0191f5d68a1ca9e627b85db2cb00bb4df0cbf6dd70357
Instruction Fuzzy Hash: 1AE0C233D04020ABCB325F46EC0575A77ACAF48B72F024426E8007B3A087742C424FDC

Function 025010D6 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02501561: lstrcpyA.KERNEL32(00000000,?,?,?,02501804,?,02501017), ref: 0250157E
Part of subcall function 02501561: GlobalFree.KERNEL32 ref: 0250158F

GlobalAlloc.KERNEL32(00000040,?), ref: 02501151
GlobalFree.KERNEL32(00000000), ref: 025011AA
GlobalFree.KERNEL32(?), ref: 025011BD
GlobalFree.KERNEL32(?), ref: 025011EB

Memory Dump Source

Source File: 00000001.00000002.2973409424.0000000002501000.00000020.00000001.01000000.00000008.sdmp, Offset: 02500000, based on PE: true

Associated: 00000001.00000002.2973389138.0000000002500000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973429594.0000000002503000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.2973449141.0000000002505000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2500000_Au_.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 897ac0c4bb73b06b393ef8a5bc0bf7cdd6f1ae598817b006346b8eefe8320f4a
Instruction ID: 8681ff1b866bdcbcd7e8f104720721c39c3ac61883fa7111f3701dd1427f2f32
Opcode Fuzzy Hash: 897ac0c4bb73b06b393ef8a5bc0bf7cdd6f1ae598817b006346b8eefe8320f4a
Instruction Fuzzy Hash: 1F31E071840A45AFE714DF68EDD8E3A7FB8FB45354B048855E949DA184E7308814CF1E

Function 004057B2 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000001.00000002.2972549926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2972517186.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972577518.0000000000407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000409000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.0000000000416000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000041F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000043E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972607881.000000000046F000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2972789889.000000000052B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Au_.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Uninstall.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsu2089.tmp

C:\Users\user\AppData\Local\Temp\nsz1ED4.tmp

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe

C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
Uninstall.exe

Function 0040323C Relevance: 61.5, APIs: 24, Strings: 11, Instructions: 270
filestringcomCOMMON

Function 00406131 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 004058B4 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 144
filememoryCOMMON

Function 00402C72 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203
memoryCOMMON

Function 00403043 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00402F18 Relevance: 7.6, APIs: 5, Instructions: 109
fileCOMMON

Function 0040586C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Function 004053C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406566 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406767 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 0040647D Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00405F82 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 004063D0 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 004064EE Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 0040643A Relevance: 5.2, APIs: 4, Instructions: 168
COMMON